cbcvebase.
CVE-2013-6618
published 2013-11-05

CVE-2013-6618: jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3, and 12.3 before 12.3R1 allows remote…

PriorityP264critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
10.61%
95.2th percentile
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3, and 12.3 before 12.3R1 allows remote authenticated users to execute arbitrary commands via the rsargs parameter in an exec action.

Affected

11 ranges
VendorProductVersion rangeFixed in
juniperj-web
juniperjunos<= 10.4
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos_os

Detection & IOCsextracted from sources · hover to see the quote

commandPOST /jsdm/ajax/port.php rs=file_get_contents&rsargs[]=/tmp
  • Monitor HTTP POST requests to /jsdm/ajax/port.php with 'rs=exec' or 'rs=file_get_contents' parameters, which indicate exploitation attempts of CVE-2013-6618.
  • Detect session hijacking attempts by monitoring for reads of /tmp directory contents via the rs=file_get_contents&rsargs[]=/tmp pattern in J-Web requests.
  • ·Exploitation requires remote authenticated access (read-only credentials are sufficient); unauthenticated exploitation is not possible.
  • ·Command execution occurs within a chroot environment (UID=0/root inside chroot), limiting direct host-level impact but still enabling privilege escalation via session hijacking.
  • ·All Junos OS builds prior to 2013-02-28 are affected; the fix has not been independently validated by the discovering researcher (SOS).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.