cbcvebase.
CVE-2009-5156
published 2019-06-11

CVE-2009-5156: An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string.

PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
10.92%
95.3th percentile
An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string.

Affected

1 ranges
VendorProductVersion rangeFixed in
veracompasmax_ar-804gu_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/script?system
path/cgi-bin/script
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ASMAX CGI script system Parameter Command Injection Attempt (CVE-2009-5156)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/script?system"; startswith; fast_pattern; reference:cve,2009-5156; classtype:attempted-admin; sid:2065221; rev:1; metadata:affected_product ASMAX, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2009_5156, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic is plaintext HTTP (not TLS); deploy detection at the network perimeter and internally on HTTP traffic.
  • Look for HTTP GET requests where the URI starts with /cgi-bin/script?system — the 'system' query parameter is the injection point.
  • Target affected device: ASMAX AR-804gu firmware version 66.34.1 networking equipment.
  • Classify detections as attempted-admin (privilege escalation via command injection on networking equipment); maps to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under tactic TA0001 (Initial Access).
  • ·The Snort/Suricata rule uses 'startswith' on the URI content match, meaning it only fires when the URI begins exactly with /cgi-bin/script?system. Variants that include path prefixes or URL encoding may evade this rule.
  • ·Rule is scoped to $HOME_NET as the destination; ensure $HOME_NET is correctly defined to include ASMAX device IP ranges, otherwise internal-only deployments may miss inbound exploitation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.