cbcvebase.
CVE-2013-3568
published 2020-02-06

CVE-2013-3568: Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have…

PriorityP179high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.13%
97.7th percentile
Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.

Detection & IOCsextracted from sources · hover to see the quote

path/ping.cgi
path/HNAP1/
commandpingstr=& <cmd>
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; startswith; endswith; http.request_body; content:"pingstr="; startswith; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:6; metadata:attack_target IoT, created_at 2019_03_19, cve CVE_2013_3568, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_13;)
  • Detect exploitation attempts by matching HTTP POST requests to /ping.cgi with a body starting with 'pingstr=' followed by a semicolon (0x3b) within 25 bytes — the semicolon is the shell command injection separator injected via the ping field.
  • Check for HTTP GET requests to /HNAP1/ as a fingerprinting/check step used by the exploit to confirm the target is a vulnerable WRT110 device before launching the attack.
  • The exploit targets Linux MIPS little-endian (mipsel) architecture; payloads delivered will be MIPS LE ELF binaries staged via an echo command stager over the ping CGI injection point.
  • The exploit authenticates using HTTP Basic Auth with default credentials (admin:admin) before injecting commands; alert on Basic Auth attempts to router management interfaces from external networks.
  • ·The Snort/Suricata rule (ET sid:2027097) targets traffic flowing from EXTERNAL_NET to HOME_NET; ensure your network zone variables ($HOME_NET) correctly include the router's management IP, otherwise the rule will not fire on internal-only deployments.
  • ·The CVE is described as a CSRF vulnerability in NVD, but the exploit abuses a command injection in the ping CGI endpoint; detection should cover both the CSRF vector (forged authenticated requests) and direct authenticated command injection via /ping.cgi.
  • ·The exploit module also covers the WRT100 model in addition to WRT110; detection rules and asset inventories should include both device models.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.