Description
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious content by exploiting enabled WebDAV HTTP methods. Attackers can use PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content for remote code execution or denial of service.
Published: 2026-03-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file upload that can lead to remote code execution or denial of service
Action: Immediate Patch
AI Analysis

Impact

Unauthenticated attackers can exploit enabled WebDAV HTTP methods on the Telesquare SDT‑CS3B1 router to upload arbitrary files, delete or move existing ones, and manipulate server content. By uploading executable code the attacker can achieve remote code execution, while improper handling of file operations can also lead to denial of service. The weakness corresponds to CWE‑434 (Unrestricted Upload of File with Dangerous Type).

Affected Systems

The vulnerability applies to the Telesquare SDT‑CS3B1 LTE Router, specifically firmware versions 1.1.0 and 1.2.0. Any deployment of these firmware releases is affected unless mitigated by configuration changes.

Risk and Exploitability

The CVSS base score is 9.3, indicating a high severity vulnerability. The EPSS score is below 1%, suggesting that while exploitation is possible it is not widely observed. The issue is not listed in the CISA KEV catalog, so no known active exploitation has yet been publicized. The attack path requires no authentication and relies on standard WebDAV methods such as PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH, making the vulnerability readily exploitable in the presence of enabled WebDAV functionality.

Generated by OpenCVE AI on March 22, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that removes the vulnerable WebDAV functionality, if a patched release is available from Telesquare.
  • If no firmware update is possible, disable all WebDAV HTTP methods (PUT, DELETE, MKCOL, MOVE, COPY, PROPPATCH) on the device or block them through a firewall rule.
  • Verify that remote management interfaces are secured and that only authenticated users can access configuration ports.

Generated by OpenCVE AI on March 22, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
Description Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious content by exploiting enabled WebDAV HTTP methods. Attackers can use PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content for remote code execution or denial of service.
Title Telesquare SKT LTE Router SDT-CS3B1 WebDAV Arbitrary File Upload
First Time appeared Telesquare
Telesquare sdt-cs3b1
Telesquare sdt-cs3b1 Firmware
Weaknesses CWE-434
CPEs cpe:2.3:h:telesquare:sdt-cs3b1:-:*:*:*:*:*:*:*
cpe:2.3:o:telesquare:sdt-cs3b1_firmware:1.1.0:*:*:*:*:*:*:*
cpe:2.3:o:telesquare:sdt-cs3b1_firmware:1.2.0:*:*:*:*:*:*:*
Vendors & Products Telesquare
Telesquare sdt-cs3b1
Telesquare sdt-cs3b1 Firmware
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Telesquare Sdt-cs3b1 Sdt-cs3b1 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:16.427Z

Reserved: 2026-03-15T21:57:29.608Z

Link: CVE-2017-20224

cve-icon Vulnrichment

Updated: 2026-03-16T14:16:59.123Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:52.560

Modified: 2026-03-16T14:53:46.157

Link: CVE-2017-20224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:00:44Z

Weaknesses