cbcvebase.
CVE-2013-2678
published 2020-02-04

CVE-2013-2678: Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or…

PriorityP277high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.87%
96.7th percentile
Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
ciscolinksys_e4200_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/apply.cgi
commandsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=
url/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip=
commandsubmit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version
path../../proc/version
commandsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e101|&ping_times=5&traceroute_ip=
  • Monitor HTTP POST and GET requests to /apply.cgi containing the submit_type parameter with values such as 'start_ping' combined with shell metacharacters (%26, |) in the ping_size parameter, indicating OS command injection attempts against Linksys routers.
  • Detect directory traversal attempts against /apply.cgi via the next_page parameter containing '../' sequences (e.g., next_page=../../proc/version), which can expose sensitive local files on the device.
  • Alert on HTTP requests to /apply.cgi where submit_type=start_ping and ping_size contains URL-encoded shell operators (%26 for & or | characters), as these are the primary injection vectors for CVE-2013-2678.
  • The PNScan trojan exploits CVE-2013-2678 to compromise Linksys routers and subsequently installs the Tsunami backdoor; detect for Tsunami backdoor indicators post-compromise on Linksys devices.
  • CVE-2013-2678 is exploited alongside a vulnerability in HNAP (Home Network Administration Protocol) when targeting Linksys routers; monitor for anomalous HNAP requests in conjunction with apply.cgi exploitation attempts.
  • ·The OS command injection via ping_size requires the attacker to be authenticated to the device, or to chain with another vulnerability (e.g., CSRF) to inject commands without prior authentication.
  • ·The directory traversal via next_page also requires authentication or chaining with another access method; standalone unauthenticated exploitation of this specific vector is not confirmed.
  • ·Multiple Linksys firmware versions are affected across different models (E1500, E2500, WRT160Nv2); detections should not be scoped to a single firmware build.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.