cbcvebase.
CVE-2013-4864
published 2020-01-28

CVE-2013-4864: MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.31%
92.7th percentile
MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
micasaverdeveralite_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/cmh/proxy.sh
urlhttp://A.B.C.D/cgi-bin/cmh/proxy.sh?url=https://www.trustwave.com
path/cgi-bin/cmh/get_file.sh
path/cgi-bin/cmh/store_file.sh
path/cgi-bin/cmh/backup.sh
path/upgrade_step2.sh
port49451
path/upnp/control/hag
path/port_49451/upnp/control/hag
commandos.execute("echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd")
otherSOAPACTION: "urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua"
  • Detect SSRF exploitation attempts by monitoring HTTP GET requests to /cgi-bin/cmh/proxy.sh with a 'url' parameter pointing to internal or external hosts.
  • Detect path traversal attempts via GET requests to /cgi-bin/cmh/get_file.sh with 'filename' parameter containing '../' sequences.
  • Detect privilege escalation via firmware update endpoint by monitoring GET requests to /upgrade_step2.sh with a 'squashfs' parameter referencing a remote URL.
  • Detect sensitive file exfiltration attempts via GET requests to /cgi-bin/cmh/backup.sh with 'external=1' parameter.
  • Detect backdoor account creation via Lua RunLua payloads containing 'os.execute' with echo commands writing to /etc/passwd.
  • ·The path traversal via get_file.sh requires the target directory to exist first; it can be pre-created using store_file.sh, meaning exploitation is a two-step process.
  • ·The SSRF and other attacks can also be launched through the Internet-based control panel at cp.mios.com when authenticated as admin or guest, extending the attack surface beyond the LAN.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.