cbcvebase.
CVE-2012-5357
published 2017-10-30

CVE-2012-5357: Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.78%
99.2th percentile
Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data.

Affected

1 ranges
VendorProductVersion rangeFixed in
ektronektron_content_management_system<= 8.02

Detection & IOCsextracted from sources · hover to see the quote

path/cms400min/WorkArea/ContentDesigner/ekajaxtransform.aspx
  • The exploit default URI base path is '/cms400min/'; monitor for POST requests to '/cms400min/WorkArea/ContentDesigner/ekajaxtransform.aspx' as a high-fidelity indicator of exploitation attempts.
  • Successful exploitation results in code execution as NETWORK SERVICE; monitor for NETWORK SERVICE spawning unexpected child processes (e.g., cmd.exe, powershell.exe) from w3wp.exe or aspnet_wp.exe on Ektron CMS hosts.
  • The Metasploit module drops a file to %WINDIR%\Temp\ during exploitation; monitor for new executable or text files written to that directory by the IIS worker process.
  • ·The default TARGETURI is '/cms400min/' but may vary per deployment; defenders should ensure monitoring covers all possible base paths for ekajaxtransform.aspx, not just the default.
  • ·The module was tested on Windows 2003 SP2 with Ektron CMS400 8.02; behavior on other OS/CMS version combinations may differ.
  • ·The HTTP_DELAY option (default 60 seconds) controls how long the exploit's HTTP server waits for the VBS payload callback; detection based on timing anomalies should account for this window.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.