CVE-2017-20224 in SDT-CS3B1
Summary
by MITRE • 03/16/2026
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious content by exploiting enabled WebDAV HTTP methods. Attackers can use PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content for remote code execution or denial of service.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
The CVE-2017-20224 vulnerability affects the Telesquare SKT LTE Router SDT-CS3B1 model running firmware version 1.2.0, representing a critical security flaw that exposes the device to unauthorized manipulation through enabled WebDAV HTTP methods. This vulnerability exists within the router's web interface configuration, where WebDAV functionality has been inadvertently enabled without proper authentication requirements, creating an attack surface that allows any remote unauthenticated user to exploit the device's file management capabilities.
The technical exploitation of this vulnerability relies on the implementation of several WebDAV HTTP methods that are typically used for collaborative document management and server content manipulation. Attackers can leverage the PUT method to upload malicious files directly to the router's file system, while DELETE operations enable them to remove existing files or directories. The MKCOL method allows for directory creation, MOVE and COPY operations facilitate file repositioning and duplication, and PROPPATCH enables modification of file properties. When combined, these methods create a comprehensive attack vector that can be exploited to establish persistent access to the device's underlying system.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it provides attackers with the capability to execute arbitrary code on the affected device. This remote code execution capability enables attackers to install backdoors, modify router configurations, redirect network traffic, or establish persistent access points for further network infiltration. The vulnerability essentially transforms the router from a simple network gateway into a potential command and control server, allowing attackers to use it as a launching point for attacks against other devices within the local network or to conduct man-in-the-middle attacks.
The security implications of this vulnerability align with CWE-434, which describes insecure file upload vulnerabilities where applications accept files from untrusted sources without proper validation. This weakness creates a pathway for attackers to bypass normal access controls and gain unauthorized system privileges. From an ATT&CK framework perspective, this vulnerability maps to multiple techniques including T1190 for exploit for client execution, T1059 for command and scripting interpreter, and T1071 for application layer protocol, as attackers can use the compromised router to establish covert communication channels. The vulnerability also represents a significant risk for credential theft, as attackers can potentially intercept or modify network traffic passing through the compromised device.
Mitigation strategies for CVE-2017-20224 should prioritize immediate firmware updates from the vendor if available, as the manufacturer may have released patches addressing the WebDAV configuration issues. Network segmentation and firewall rules should be implemented to restrict access to the router's web interface from untrusted networks, while disabling unnecessary WebDAV methods through proper router configuration settings. Additionally, network monitoring should be enhanced to detect unusual file upload activities or WebDAV method usage patterns that might indicate exploitation attempts. Security audits should include verification of WebDAV method availability and proper authentication requirements for all HTTP methods exposed by network devices. Organizations should also implement regular vulnerability assessments and penetration testing to identify similar misconfigurations in other network infrastructure components. The vulnerability serves as a reminder of the critical importance of secure configuration management and the need for comprehensive network security policies that address both perimeter defenses and internal device security controls.