cbcvebase.
CVE-2010-0219
published 2010-10-18

CVE-2010-0219: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for…

PriorityP184critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.87%
99.8th percentile
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.

Affected

8 ranges
VendorProductVersion rangeFixed in
apacheaxis2
apacheaxis2
apacheaxis2
apacheaxis2
apacheaxis2
apacheaxis2
apacheaxis2
sapbusinessobjects

Detection & IOCsextracted from sources · hover to see the quote

url/axis2-admin/login
url/axis2/axis2-admin/login
urlhttp://host:8014/WebServiceImpl/axis2-admin/upload
port8080
port8014
cookieJSESSIONID
pathC:\Program Files\CA\ARCserve D2D\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml
path/webapps/dswsbobje/WEB-INF/services/
otherSOAPAction: "http://session.dsws.businessobjects.com/2007/06/01/run"
  • Detect successful Axis2 admin login by matching response body for the string 'Welcome to Axis2 Web Admin Module !!'
  • Monitor for POST requests to /axis2-admin/login or /axis2/axis2-admin/login with credentials admin:axis2 (default credential abuse)
  • Monitor for multipart/form-data POST uploads to /axis2-admin/upload paths, which is the mechanism used to deploy malicious .aar web service files
  • Alert on HTTP GET requests to /axis2/services/<random_name>/run after an upload, indicating payload execution polling
  • Use Shodan/FOFA queries to identify exposed Axis2 instances: http.html:"Apache Axis" or body="apache axis"
  • On CA ARCserve D2D hosts, check for world-accessible Axis2 on port 8014 with firewall exception; the port is added to firewall exceptions allowing internet access
  • Inspect axis2.xml for default credentials: look for admin/axis2 entries indicating unpatched default configuration
  • Detect SOAP-based payload execution: monitor POST requests to /axis2/services/<name> with SOAPAction header containing 'http://session.dsws.businessobjects.com/2007/06/01/run'
  • ·The SAP BusinessObjects path uses /dswsbobje instead of /axis2 as the Axis2 app root; detection rules must account for both paths
  • ·HP Universal CMDB uses an additional HTTP Basic Auth layer on top of Axis2 with default credentials admin/admin, requiring a two-stage authentication check

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.