cbcvebase.
CVE-2012-2576
published 2017-12-20

CVE-2012-2576: SQL injection vulnerability in the LoginServlet page in SolarWinds Storage Manager before 5.1.2, SolarWinds Storage Profiler before 5.1.2, and SolarWinds…

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
59.15%
99.0th percentile
SQL injection vulnerability in the LoginServlet page in SolarWinds Storage Manager before 5.1.2, SolarWinds Storage Profiler before 5.1.2, and SolarWinds Backup Profiler before 5.1.2 allows remote attackers to execute arbitrary SQL commands via the loginName field.

Affected

3 ranges
VendorProductVersion rangeFixed in
solarwindsbackup_profiler< 5.1.25.1.2
solarwindsstorage_manager< 5.1.25.1.2
solarwindsstorage_profiler< 5.1.25.1.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<rhost>:9000/LoginServlet
port9000
pathc:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/
commandunion select 0x<jsp_hex>,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "<output_path>"
commandAAA' union select ... into outfile ... #
command1' or 1=1#--
path/LoginServlet
  • Monitor HTTP POST requests to /LoginServlet on port 9000 for SQL injection patterns in the `loginName` field, specifically strings containing UNION SELECT, INTO OUTFILE, or boolean payloads like `1' or 1=1#--`.
  • Alert on POST parameters to LoginServlet where `loginName` contains single-quote characters combined with SQL keywords (UNION, SELECT, INTO OUTFILE) or comment sequences (#, --).
  • Detect new .jsp file creation under the SolarWinds Storage Manager web root directory (c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/) as an indicator of successful exploitation and webshell drop.
  • Monitor for outbound TCP connections from the SolarWinds Storage Manager process to attacker-controlled hosts, as the dropped JSP webshell establishes a reverse shell via a raw socket to attacker's lhost:lport.
  • Detect child process `cmd.exe` spawned by the SolarWinds Storage Manager Java process (e.g., java.exe or tomcat), which is indicative of the JSP reverse shell executing.
  • ·The SQL injection uses MySQL-specific syntax (INTO OUTFILE, hex encoding with 0x prefix, # comment delimiter), so the backend database must be MySQL for this specific exploit chain to succeed. Detection rules targeting INTO OUTFILE and 0x-prefixed hex blobs in SQL are appropriate.
  • ·The dropped webshell filename is randomly generated (6 alphanumeric characters + .jsp), so static filename-based detection will not work; use directory monitoring or file-creation events on the web root path instead.
  • ·The exploit targets SolarWinds Storage Manager versions prior to 5.1.2; versions 5.1.2 and later are patched and not vulnerable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.