cbcvebase.
CVE-2013-2568
published 2020-01-29

CVE-2013-2568: A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
48.54%
98.7th percentile
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code.

Affected

2 ranges
VendorProductVersion rangeFixed in
zaviof3105_firmware<= 1.6.03
zaviof312a_firmware<= 1.6.03

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mft/wireless_mft.cgi
urlhttp://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales
path/cgi-bin/mft/manufacture.cgi
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zavio IP Camera OS Command Injection Attempt Inbound (CVE-2013-2568)"; flow:established,to_server; http.uri; content:"/cgi-bin/mft/"; startswith; fast_pattern; content:"ap="; distance:0; content:"|3b|"; distance:0; pcre:"/[?&]ap=/U"; reference:cve,2013-2568; classtype:attempted-admin; sid:2038502; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_08_12, cve CVE_2013_2568, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_08_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit requests target URI path starting with '/cgi-bin/mft/' with an 'ap=' parameter containing a semicolon (0x3b) as a command separator — the Snort/Suricata rule keys on all three: URI prefix, 'ap=' parameter, and the semicolon byte.
  • Exploitation of CVE-2013-2568 requires HTTP Basic Auth with the hard-coded manufacture account. Detect or alert on HTTP requests to '/cgi-bin/mft/' authenticated with credentials 'manufacture:erutcafunam'.
  • Monitor HTTP requests to '/opt/cgi/view/param' for the 'General.Time.NTP.Server' parameter containing semicolons, which indicates exploitation of the related post-auth command injection (CVE-2013-2570) on the same device class.
  • ·The hard-coded credentials ('manufacture'/'erutcafunam') are embedded in 'boa.conf' and are not visible or removable via the user web interface, meaning patching the application layer is the only remediation path.
  • ·The vulnerability affects firmware v1.6.03 and below; the vendor did not provide a fixed version at time of disclosure.
  • ·CVE-2013-2568 can be exploited without prior authentication by leveraging the hard-coded manufacture credentials from CVE-2013-2567, making it effectively a pre-auth RCE chain.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.