cbcvebase.
CVE-2013-5758
published 2014-08-03

CVE-2013-5758: cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body…

PriorityP272critical9CVSS 2.0
AVNACLAuSCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.89%
95.6th percentile
cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files.

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/cgiServer.exx
urlPOST /cgi-bin/cgiServer.exx HTTP/1.1
commandsystem("/bin/busybox%20telnetd%20start")
commandsystem("/bin/busybox%20chmod%20-R%20777%20/etc")
otherAuthorization: Basic YWRtaW46YWRtaW4=
  • Detect POST requests to /cgi-bin/cgiServer.exx containing 'system(' in the request body, which indicates attempted OS command injection via the system method.
  • Alert on HTTP requests to /cgi-bin/cgiServer.exx with body content matching 'system("/bin/busybox' — specifically for telnetd startup or chmod -R 777 payloads.
  • Flag use of the default Base64-encoded credential 'YWRtaW46YWRtaW4=' (admin:admin) in Authorization headers targeting Yealink SIP-T38G devices.
  • Monitor for unexpected telnetd processes or open telnet ports on Yealink VoIP devices, as exploitation starts an unauthorized telnetd service.
  • ·Exploitation requires valid (but potentially default) credentials; the default admin:admin credential (Base64: YWRtaW46YWRtaW4=) is referenced as the attack vector, meaning unauthenticated exploitation is not directly possible without CVE-2013-5755 credential exposure.
  • ·The cgiServer.exx process runs under root privileges, meaning any command injected via the system() method executes with full root access on the device.

CVSS provenance

nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.