cbcvebase.
CVE-2012-2626
published 2012-07-31

CVE-2012-2626: cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows…

PriorityP276medium5CVSS 2.0
AVNACLAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.46%
98.6th percentile
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonicwallscrutinizer< 9.5.09.5.0

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/admin.cgi
commandtool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
  • Monitor for unauthenticated POST requests to /cgi-bin/admin.cgi containing the 'tool=userprefs' parameter, which indicates an attempt to add an administrative account without token authentication.
  • Alert on HTTP POST request bodies to /cgi-bin/admin.cgi containing both 'tool=userprefs' and 'selectedUserGroup=' parameters, as this is the exact exploit payload pattern for adding a privileged account.
  • A successful exploit returns a JSON response body of the form {"new_user_id":"<N>"} with HTTP 200 from /cgi-bin/admin.cgi; correlate this response with the POST payload to confirm exploitation.
  • The Metasploit auxiliary module targets this vulnerability; look for automated/scripted POST requests to /cgi-bin/admin.cgi without a valid session token from unexpected source IPs.
  • ·The vulnerability exists in Scrutinizer versions before 9.5.0; the endpoint /cgi-bin/admin.cgi does not enforce token authentication in affected versions, meaning any unauthenticated remote request can create admin accounts.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.