cbcvebase.
CVE-2013-2581
published 2013-10-11

CVE-2013-2581: cgi-bin/firmwareupgrade in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6…

PriorityP351high7.8CVSS 2.0
AVNACLAuNCNICAN
EXPLOIT
EPSS
2.50%
82.7th percentile
cgi-bin/firmwareupgrade in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to modify the firmware revision via a "preset" action.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linklm_firmware<= 1.6.18p12_sign5

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/firmwareupgrade
path/cgi-bin/uploadfile
path/cgi-bin/admin/servetest
path/cgi-bin/reboot
path/cgi-bin/hardfactorydefault
url/cgi-bin/firmwareupgrade?action=preset
url/cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q
filenameCOM_T01F001_LM.1.6.18P12_sign5_TPL.TL-SC3171.bin
path/mnt/mtd
command/usr/sbin/telnetd
otherusername: qmik / password: (none)
  • Detect unauthenticated GET/POST requests to /cgi-bin/firmwareupgrade with the 'action=preset' parameter — no authentication header required, indicating exploitation of CVE-2013-2581.
  • Detect unauthenticated POST requests to /cgi-bin/uploadfile with multipart file upload content — no Authorization header present.
  • Detect HTTP requests to /cgi-bin/admin/servetest containing semicolons in parameter values (e.g., ServerName), indicative of OS command injection chaining.
  • Monitor for telnet service activation on TP-Link IP camera devices following HTTP requests to /cgi-bin/admin/servetest — indicates successful CVE-2013-2578 exploitation used as a precursor.
  • Alert on telnet login attempts using username 'qmik' with no password to TP-Link camera devices — this is a hard-coded backdoor credential.
  • Detect the Authorization header value 'Basic YWRtaW46YWRtaW4=' (base64 for admin:admin) in HTTP requests to TP-Link camera CGI endpoints, indicating use of default/reset credentials.
  • ·The vulnerability affects firmware version LM.1.6.18P12_sign5 and earlier; devices running beta firmware LM.1.6.18P12_sign6 or later are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.