cbcvebase.
CVE-2011-0364
published 2011-02-19

CVE-2011-0364: The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.62%
97.0th percentile
The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute arbitrary code via unspecified parameters in a crafted st_upload request.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscosecurity_agent
ciscosecurity_agent
ciscosecurity_agent
ciscosecurity_agent

Detection & IOCsextracted from sources · hover to see the quote

url/csamc60/agent
url/csamc60/exploit.gee
filenamewebagent.exe
path../bin/webserver/htdocs/diag/bin
path/../bin/webserver/
path/../.htaccess
pathc:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl
othermultipart/form-data; boundary=<boundary>; fields: host_uid, jobname, host, diags, diagsu, profiler, extension
  • Detect POST requests to the /csamc60/agent endpoint containing multipart/form-data with a 'st_upload' action; the exploit sends path-traversal sequences (e.g., '../' or '/../') in the 'jobname', 'host', and 'extension' form fields.
  • Alert on path-traversal patterns in multipart form fields ('jobname', 'host', 'extension') targeting the CSA Management Console, specifically sequences like '../bin/webserver/htdocs' or '/../.htaccess'.
  • Monitor for creation of .htaccess files containing 'Options +Includes +ExecCGI' and 'AddHandler cgi-script' directives under the CSA web server document root, which enables server-side script execution.
  • Detect GET requests to non-standard script extensions (e.g., .gee) under /csamc60/ following a POST to /csamc60/agent, which indicates a dropped payload being triggered.
  • The vulnerability is exploitable by unauthenticated attackers; monitor for POST requests to /csamc60/agent from external/untrusted IP addresses with no prior authenticated session.
  • ·Affected versions are Cisco Security Agent 5.1, 5.2, and 6.0 prior to 6.0.2.145. The exploit PoC hardcodes paths for version 6.0 (csamc60); path structures may differ for 5.x deployments.
  • ·The exploit uses HTTPS (HTTPSConnection) to communicate with the Management Console; detection must be applied to TLS-decrypted traffic or at the host level to be effective.
  • ·A workaround is available from Cisco in addition to the patch; consult the advisory for workaround details before relying solely on network-based detection.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.