CVE-2009-20011
published 2025-08-30CVE-2009-20011: ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 are vulnerable to remote command execution due to insecure handling of…
PriorityP275critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.26%
65.8th percentile
ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 are vulnerable to remote command execution due to insecure handling of file uploads via the mimencode CGI utility. The vulnerability allows unauthenticated attackers to upload and execute arbitrary scripts as the Apache user. Additionally, the exploit can optionally escalate privileges by abusing insecure PATH usage in the benetool binary, resulting in root-level access if successful.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contentkeeper_technologies | contentkeeper_web_appliance | < 125.10 | 125.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated file upload requests to the mimencode CGI endpoint, which is the attack vector for remote command execution on ContentKeeper Web Appliance versions prior to 125.10. ↗
- →Alert on unexpected script execution or process spawning under the Apache user account, which may indicate successful exploitation of the mimencode upload vulnerability. ↗
- →Detect attempts to setuid the bash shell, which indicates privilege escalation following initial exploitation via the mimencode CGI vulnerability. ↗
- →Monitor for abuse of the benetool binary with insecure PATH manipulation, which is the privilege escalation vector leading to root-level access. ↗
- ·Privilege escalation to root via benetool is optional and only triggered when the SkipEscalation option is set to false in the Metasploit module; default behavior may only achieve Apache-level code execution. ↗
- ·The vulnerability affects ContentKeeper Web Appliance versions strictly prior to 125.10; version 125.10 and later are not affected and should be the remediation target. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
http://www.aushack.com/200904-contentkeeper.txthttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/contentkeeperweb_mimencode.rbhttps://web.archive.org/web/20081220084819/http://www.contentkeeper.com/https://www.ativion.com/contentkeeper/https://www.vulncheck.com/advisories/contentkeeper-web-appliance-rce-via-mimencode
2025-08-30
Published