cbcvebase.
CVE-2012-3001
published 2012-10-22

CVE-2012-3001: Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection…

PriorityP272high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
27.31%
97.8th percentile
Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection vulnerability."

Affected

5 ranges
VendorProductVersion rangeFixed in
mutinystandard<= 4.5-1.10
mutinystandard
mutinystandard
mutinystandard
mutinystandard

Detection & IOCsextracted from sources · hover to see the quote

url/interface/logon.jsp
url/interface/logon.do
url/interface/admin/cgi-bin/netconfig
cookieJSESSIONID
path/opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask
path/tmp/
  • Detect POST requests to /interface/logon.do followed by GET/POST to /interface/admin/cgi-bin/netconfig — this is the two-step exploit chain: authenticate then inject via the netmasketh0 parameter.
  • Flag POST requests to /interface/admin/cgi-bin/netconfig where the 'netmasketh0' parameter contains shell metacharacters (e.g., semicolons, backticks, pipe characters) — this is the injection point for command execution.
  • Alert on HTTP responses containing the string ': Mutiny : Login @ mutiny' to fingerprint exposed Mutiny appliance admin interfaces.
  • Monitor for ELF binary drops or execution from /tmp/ on Linux hosts running Mutiny, as the Linux Payload target writes and executes an ELF file from /tmp/.
  • Watch for writes to /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask and unexpected modifications to ifcfg-eth0, which are artifacts of post-exploitation cleanup by the Metasploit module.
  • Injected commands are executed with root privileges; monitor for unexpected /etc/init.d/network restart calls originating from the Mutiny web process.
  • ·Exploitation requires valid credentials to the Mutiny admin interface; default credentials (admin/mutiny) are used by the Metasploit module and should be checked/changed.
  • ·The vulnerability affects Mutiny versions prior to 4.5-1.12; the Metasploit module was confirmed working on Mutiny 4.2-1.05.
  • ·The default base path for the Mutiny interface is /interface/; this may vary in non-default deployments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.