cbcvebase.
CVE-2012-0262
published 2013-12-31

CVE-2012-0262: op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via…

PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
72.85%
99.4th percentile
op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter.

Affected

6 ranges
VendorProductVersion rangeFixed in
op5monitor<= 5.5.1
op5monitor
op5monitor
op5monitor
op5monitor
op5system-op5config<= 2.0.2

Detection & IOCsextracted from sources · hover to see the quote

url/op5config/welcome
commanddo=do=Login&password=`ping -c 10 127.0.0.1`
commanddo=do=Login&password=`<payload>`
  • Detect POST requests to /op5config/welcome over HTTPS (port 443) containing backtick-wrapped shell metacharacters in the 'password' parameter, indicative of command injection attempts.
  • Look for the specific POST body pattern 'do=do=Login&password=`...`' — the double 'do=do=Login' is a fingerprint of the Metasploit exploit module for this CVE.
  • A timing-based detection heuristic: if a POST to /op5config/welcome takes >= 5 seconds to respond, the exploit module treats the target as vulnerable (timing side-channel via 'ping -c 10 127.0.0.1').
  • The exploit requires the payload to avoid the bad characters: backtick (`), backslash (\), and pipe (|). Signatures should still flag these characters in the password field as they are the injection delimiters.
  • Payload delivery is via cmd-type payloads (perl, ruby, or python reverse shells) injected into the password parameter — monitor for outbound connections from the op5 host process following a POST to /op5config/welcome.
  • ·The exploit communicates exclusively over HTTPS (not HTTP); plain-text HTTP inspection will miss this attack. TLS inspection must be enabled on network sensors to detect the malicious POST body.
  • ·The Metasploit module sets 'Connection: close' on every request; persistent/keep-alive session tracking will not help correlate check and exploit requests from the same attacker.
  • ·Affected versions are OP5 Monitor 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 and op5 Appliance before 5.5.3 / system-op5config before 2.0.3. Detections should be scoped to these versions to reduce false positives.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.