CVE-2009-1558
published 2009-05-06CVE-2009-1558: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers…
PriorityP271high7.8CVSS 2.0
AVNACLAuNCCINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
28.81%
97.9th percentile
Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | wvc54gca | — | — |
| cisco | wvc54gca | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2009_1558_LFI { strings: $path = "/adm/file.cgi" $param1 = "next_file=" $traversal1 = "%2e." nocase $traversal2 = "%2fetc%2fpasswd" nocase condition: $path and $param1 and ($traversal1 or $traversal2) }- →Look for HTTP GET requests to /adm/file.cgi with a 'next_file' parameter containing encoded traversal sequences such as '%2e.' (encoded dot) or absolute paths like '%2fetc%2fpasswd'. ↗
- →Successful exploitation returns /etc/passwd content; match HTTP 200 responses to /adm/file.cgi requests containing the regex 'root:.*:0:0:' to confirm file read. ↗
- →Also monitor for the 'this_file' parameter in requests to /adm/file.cgi as an alternative exploitation vector (e.g., ?todo=pwnage&this_file=/etc/passwd). ↗
- ·Vulnerability is confirmed only on Cisco Linksys WVC54GCA firmware versions 1.00R22 and 1.00R24; other versions may also be vulnerable but are unconfirmed. ↗
- ·The vulnerability requires no authentication (Au:N) and is remotely exploitable over the network (AV:N/AC:L), meaning any unauthenticated remote attacker can trigger it. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8969-52cv-qf93: Directory traversal vulnerability in adm/file
ghsa_unreviewed·2022-05-02
CVE-2009-1558 [HIGH] CWE-22 GHSA-8969-52cv-qf93: Directory traversal vulnerability in adm/file
Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
VulnCheck
Cisco wvc54gca Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2009·CVSS 7.8
CVE-2009-1558 [HIGH] Cisco wvc54gca Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Cisco wvc54gca Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
Affected: Cisco wvc54gca
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2009-1558
No detection rules found.
Exploit-DB
Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - 'adm/file.cgi' Multiple Directory Traversal Vulnerabilities
exploitdb·2009-04-23
CVE-2009-1558 Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - 'adm/file.cgi' Multiple Directory Traversal Vulnerabilities
Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - 'adm/file.cgi' Multiple Directory Traversal Vulnerabilities
---
source: https://www.securityfocus.com/bid/34713/info
Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera is prone to multiple directory-traversal vulnerabilities because the software fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings ('../') to download arbitrary files with the privileges of the server process. Information obtained may aid in further attacks.
Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware 1.00R22 and 1.00R24 are affected; other versions may also be vulnerable.
http://www.example.com/adm/file.cgi?next_file=%2fetc%2fpasswd
http://www.example.com/adm/file.cgi?
Nuclei
Cisco Linksys WVC54GCA 1.00R22/1.00R24 - Local File Inclusion
nuclei·CVSS 7.8
CVE-2009-1558 [HIGH] Cisco Linksys WVC54GCA 1.00R22/1.00R24 - Local File Inclusion
Cisco Linksys WVC54GCA 1.00R22/1.00R24 - Local File Inclusion
Cisco Linksys WVC54GCA 1.00R22/1.00R24 is susceptible to local file inclusion in adm/file.cgi because it allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
Template:
id: CVE-2009-1558
info:
name: Cisco Linksys WVC54GCA 1.00R22/1.00R24 - Local File Inclusion
author: daffainfo
severity: high
description: Cisco Linksys WVC54GCA 1.00R22/1.00R24 is susceptible to local file inclusion in adm/file.cgi because it allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the device, potentially leading to una
http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/http://www.securityfocus.com/bid/34713http://www.vupen.com/english/advisories/2009/1173https://exchange.xforce.ibmcloud.com/vulnerabilities/50231http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/http://www.securityfocus.com/bid/34713http://www.vupen.com/english/advisories/2009/1173https://exchange.xforce.ibmcloud.com/vulnerabilities/50231
2009-05-06
Published
Exploited in the wild