CVE-2007-3010
published 2007-09-18CVE-2007-3010: masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-06
Exploited in the wild
EPSS
97.41%
99.9th percentile
masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user parameter during a ping action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| al-enterprise | omnipcx_enterprise_communication_server | <= 7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: uid=[0-9]+.*gid=[0-9]+.*
- →Look for HTTP GET requests to /cgi-bin/masterCGI with both 'ping=nomip' and shell metacharacters (semicolons) in the 'user' parameter, indicating command injection attempts. ↗
- →Spaces in injected commands are replaced with ${IFS} to bypass filtering; detect URL-encoded or literal '${IFS}' in the 'user' parameter of requests to masterCGI. ↗
- →The exploit targets HTTPS (port 443) by default; monitor SSL/TLS traffic to the OmniPCX web interface for requests matching the masterCGI injection pattern. ↗
- →Response body containing 'uid=' and 'gid=' output (from injected 'id' command) confirms successful exploitation; alert on such patterns in HTTP 200 responses from masterCGI. ↗
- →Use Shodan/FOFA queries to identify exposed OmniPCX instances: title:"OmniPCX for Enterprise" or app="Alcatel_Lucent-OmniPCX-Enterprise". ↗
- →The vulnerability is unauthenticated; any request to masterCGI with the 'ping' action and a 'user' parameter containing semicolons or other shell metacharacters should be treated as a high-confidence attack indicator. ↗
- ·The Metasploit module only supports command-line (non-interactive) payloads; reverse/bind shells are killed by the httpd process after the HTTP 200 OK response is sent. ↗
- ·Exploitation yields only 'httpd' user privileges, not root; post-exploitation privilege escalation would be required for full system compromise. ↗
- ·The module defaults to SSL on port 443; non-SSL or non-standard port deployments require manual configuration adjustment. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Alcatel-Lucent OmniPCX 7.1 User input validation (EDB-16857 / XFDB-36632)
vuldb·2026-04-22·CVSS 9.8
CVE-2007-3010 [CRITICAL] Alcatel-Lucent OmniPCX 7.1 User input validation (EDB-16857 / XFDB-36632)
A vulnerability classified as critical was found in Alcatel-Lucent OmniPCX 7.1. This impacts an unknown function. The manipulation of the argument User results in improper input validation.
This vulnerability is known as CVE-2007-3010. It is possible to launch the attack remotely. Furthermore, an exploit is available.
GHSA
GHSA-27fx-q398-q8vr: masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7
ghsa_unreviewed·2022-05-01
CVE-2007-3010 [HIGH] CWE-20 GHSA-27fx-q398-q8vr: masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7
masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user parameter during a ping action.
VulnCheck
Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
vulncheck·2007·CVSS 9.8
CVE-2007-3010 [CRITICAL] CWE-20 Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server allows remote attackers to execute arbitrary commands.
Affected: Alcatel OmniPCX Enterprise
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cujo.com/blog/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/; https://cujo.com/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/; https://www.trustwave.com
CISA
Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
cisa·2022-04-15·CVSS 9.8
CVE-2007-3010 [CRITICAL] CWE-20 Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
Vulnerability: Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
Affected: Alcatel OmniPCX Enterprise
masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server allows remote attackers to execute arbitrary commands.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2007-3010
Remediation Due Date: 2022-05-06
No detection rules found.
Exploit-DB
Alcatel-Lucent OmniPCX Enterprise - masterCGI Arbitrary Command Execution (Metasploit)
exploitdb·2010-10-05
CVE-2007-3010 Alcatel-Lucent OmniPCX Enterprise - masterCGI Arbitrary Command Execution (Metasploit)
Alcatel-Lucent OmniPCX Enterprise - masterCGI Arbitrary Command Execution (Metasploit)
---
##
# $Id: alcatel_omnipcx_mastercgi_exec.rb 10556 2010-10-05 23:13:04Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',
'Description' => %q{
This module abuses a metacharacter injection vulnerability in the
HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise
Communication Server 7.1 and earlier. The Unified Maintenance Tool
contains a 'masterCGI' binary whi
Exploit-DB
FSD 2.052/3.000 - 'servinterface.cc servinterface::sendmulticast' 'PIcallsign' Command Remote Overflow
exploitdb·2007-10-01
CVE-2007-5256 FSD 2.052/3.000 - 'servinterface.cc servinterface::sendmulticast' 'PIcallsign' Command Remote Overflow
FSD 2.052/3.000 - 'servinterface.cc servinterface::sendmulticast' 'PIcallsign' Command Remote Overflow
---
source: https://www.securityfocus.com/bid/25883/info
FSD is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary-checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
These issues affect FSD 2.052 d9 and 3.0000 d9; other versions may also be affected.
A]
connect with nc or telnet to port 3010 (sometimes it can be 3011, but
it's easy to recognize since it shows a "FSD>" prompt) and then send:
HELP aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...(more_than_100_'a's)...aaaa
Exploit-DB
Alcatel-Lucent OmniPCX Enterprise 7.1 - Remote Command Execution
exploitdb·2007-09-17
CVE-2007-3010 Alcatel-Lucent OmniPCX Enterprise 7.1 - Remote Command Execution
Alcatel-Lucent OmniPCX Enterprise 7.1 - Remote Command Execution
---
source: https://www.securityfocus.com/bid/25694/info
Alcatel-Lucent OmniPCX Enterprise is prone to a remote command-execution vulnerability because it fails to adequately sanitize user-supplied data.
Attackers can exploit this issue to execute arbitrary commands with the privileges of the 'httpd' user. Successful attacks may facilitate a compromise of the application and underlying webserver; other attacks are also possible.
Alcatel-Lucent OmniPCX Enterprise R7.1 and prior versions are vulnerable to this issue.
curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\${IFS}-l;"
Exploit-DB
Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 - masterCGI Command Injection (Metasploit)
exploitdb·2007-09-17
CVE-2007-3010 Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 - masterCGI Command Injection (Metasploit)
Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 - masterCGI Command Injection (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',
'Description' => %q{
This module abuses a metacharacter injection vulnerability in the
HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise
Communication Server 7.1 and earlier. The Unified Maintenance Tool
contains a 'masterCGI' binary which allows an unauthenticated attacker
to execute arb
Metasploit
Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
metasploit
Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary commands by specifying shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response.
Nuclei
Alcatel-Lucent OmniPCX - Remote Command Execution
nuclei·CVSS 9.8
CVE-2007-3010 [CRITICAL] Alcatel-Lucent OmniPCX - Remote Command Execution
Alcatel-Lucent OmniPCX - Remote Command Execution
The OmniPCX web interface has a script "masterCGI" with a remote command execution vulnerability via the "user" parameter.
Template:
id: CVE-2007-3010
info:
name: Alcatel-Lucent OmniPCX - Remote Command Execution
author: king-alexander
severity: critical
description: |
The OmniPCX web interface has a script "masterCGI" with a remote command execution vulnerability via the "user" parameter.
impact: |
Any user with access to the web interface could execute arbitrary commands with the permissions of the webservers.
remediation: |
Update to supported versions that filter shell metacharacters in the "user" parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2007-3010
- https://marc.info/?l=full-disclosure&m=119002152126755&w=2
- htt
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
http://marc.info/?l=full-disclosure&m=119002152126755&w=2http://osvdb.org/40521http://secunia.com/advisories/26853http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.phphttp://www.securityfocus.com/archive/1/479699/100/0/threadedhttp://www.securityfocus.com/bid/25694http://www.vupen.com/english/advisories/2007/3185http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htmhttps://exchange.xforce.ibmcloud.com/vulnerabilities/36632http://marc.info/?l=full-disclosure&m=119002152126755&w=2http://osvdb.org/40521http://secunia.com/advisories/26853http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.phphttp://www.securityfocus.com/archive/1/479699/100/0/threadedhttp://www.securityfocus.com/bid/25694http://www.vupen.com/english/advisories/2007/3185http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htmhttps://exchange.xforce.ibmcloud.com/vulnerabilities/36632https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2007-3010
2007-09-18
Published
2022-04-15
Added to CISA KEV
Exploited in the wild