CVE-2013-2581
published 2013-10-11CVE-2013-2581: cgi-bin/firmwareupgrade in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6…
PriorityP351high7.8CVSS 2.0
AVNACLAuNCNICAN
EXPLOIT
EPSS
2.50%
82.7th percentile
cgi-bin/firmwareupgrade in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to modify the firmware revision via a "preset" action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | lm_firmware | <= 1.6.18p12_sign5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q↗
- →Detect unauthenticated GET/POST requests to /cgi-bin/firmwareupgrade with the 'action=preset' parameter — no authentication header required, indicating exploitation of CVE-2013-2581. ↗
- →Detect unauthenticated POST requests to /cgi-bin/uploadfile with multipart file upload content — no Authorization header present. ↗
- →Detect HTTP requests to /cgi-bin/admin/servetest containing semicolons in parameter values (e.g., ServerName), indicative of OS command injection chaining. ↗
- →Monitor for telnet service activation on TP-Link IP camera devices following HTTP requests to /cgi-bin/admin/servetest — indicates successful CVE-2013-2578 exploitation used as a precursor. ↗
- →Alert on telnet login attempts using username 'qmik' with no password to TP-Link camera devices — this is a hard-coded backdoor credential. ↗
- →Detect the Authorization header value 'Basic YWRtaW46YWRtaW4=' (base64 for admin:admin) in HTTP requests to TP-Link camera CGI endpoints, indicating use of default/reset credentials. ↗
- ·The vulnerability affects firmware version LM.1.6.18P12_sign5 and earlier; devices running beta firmware LM.1.6.18P12_sign6 or later are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2013-10-11
Published