cbcvebase.
CVE-2013-2573
published 2020-01-29

CVE-2013-2573: A Command Injection vulnerability exists in the ap parameter to the /cgi-bin/mft/wireless_mft.cgi file in TP-Link IP Cameras TL-SC 3130, TL-SC 3130G, 3171G…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.24%
98.5th percentile
A Command Injection vulnerability exists in the ap parameter to the /cgi-bin/mft/wireless_mft.cgi file in TP-Link IP Cameras TL-SC 3130, TL-SC 3130G, 3171G. and 4171G 1.6.18P12s, which could let a malicious user execute arbitrary code.

Affected

4 ranges
VendorProductVersion rangeFixed in
openstacknova>= 0 < 12.0.0a012.0.0a0
tp-linktl-sc_3130g_firmware<= 1.6.18p12
tp-linktl-sc_3171g_firmware<= 1.6.18p12
tp-linktl-sc_4171g_firmware<= 1.6.18p12

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mft/wireless_mft.cgi
path/cgi-bin/mft/manufacture.cgi
urlhttp://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales
commandap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales
  • Detect HTTP requests to /cgi-bin/mft/wireless_mft.cgi (or wireless_mft) with the 'ap' parameter containing shell metacharacters (e.g. semicolons, pipes) indicative of command injection.
  • Detect HTTP Basic Authentication attempts using the hardcoded username 'manufacture' and password 'erutcafunam' against TP-Link camera web interfaces.
  • Monitor for access to /cgi-bin/mft/ endpoints (manufacture.cgi, wireless_mft.cgi) which are not visible from the normal user web interface and should never be accessed by legitimate users.
  • ·The hardcoded credentials ('manufacture'/'erutcafunam') are embedded in boa.conf and cannot be removed or changed by end users, making all unpatched devices permanently exposed to this attack vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat2.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.