cbcvebase.
CVE-2013-2578
published 2013-10-11

CVE-2013-2578: cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6…

PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.71%
99.4th percentile
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the ServerName parameter and (2) other unspecified parameters.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linklm_firmware<= 1.6.18p12_sign5

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/admin/servetest
url/cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q
path/cgi-bin/uploadfile
path/cgi-bin/firmwareupgrade
path/mnt/mtd
command/usr/sbin/telnetd
filenameCOM_T01F001_LM.1.6.18P12_sign5_TPL.TL-SC3171.bin
  • Alert on HTTP requests to /cgi-bin/admin/servetest with the pattern 'ServerName=<ip>;/usr/sbin/telnetd;' as this is the documented PoC payload to enable the telnet daemon.
  • Monitor for unauthenticated POST requests to /cgi-bin/uploadfile, which allows arbitrary file uploads without authentication.
  • Monitor for unauthenticated requests to /cgi-bin/firmwareupgrade, which allows remote firmware replacement without authentication.
  • After exploitation, watch for inbound Telnet connections to the device and login attempts using username 'qmik' with no password, which grants access to a root-escalatable shell.
  • The 'qmik' user can escalate to root via 'su'; monitor for 'su' execution following a 'qmik' telnet login on affected devices.
  • The exploit PoC uses a hardcoded Authorization header 'Basic YWRtaW46YWRtaW4=' (admin:admin); alert on requests to /cgi-bin/admin/servetest using this credential.
  • ·The vulnerability requires authentication to /cgi-bin/admin/servetest; however, authentication can be bypassed by first resetting the device to factory defaults (via /cgi-bin/hardfactorydefault) and using default credentials admin:admin, making it effectively unauthenticated in practice.
  • ·Affected firmware is LM.1.6.18P12_sign5 and earlier; the vendor released a pre-release patched firmware LM.1.6.18P12_sign6. Other TP-Link camera models beyond TL-SC3171 are likely affected but were not confirmed tested.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.