cbcvebase.
CVE-2013-6810
published 2013-12-12

CVE-2013-6810: The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.00%
96.7th percentile
The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and possibly other products, allows remote attackers to execute arbitrary code by using a servlet to upload an executable file.

Affected

3 ranges
VendorProductVersion rangeFixed in
emcconnectrix_manager
emcconnectrix_manager
emcconnectrix_manager

Detection & IOCsextracted from sources · hover to see the quote

url/inmservlets/FileUploadController
url/HttpFileUpload/FileUploadController.do
path..\..\..\deploy\dcm-client.war\
path/dcm-client/<jsp_name>.jsp
  • Detect multipart POST requests to /inmservlets/FileUploadController with a custom 'ROOTDIR' HTTP header set to 'ftproot' and a filename parameter containing path traversal sequences targeting the deploy directory.
  • Detect multipart POST requests to /HttpFileUpload/FileUploadController.do where the uploaded filename field contains directory traversal sequences (e.g., '..\..\..\deploy\dcm-client.war\').
  • Alert on HTTP 200 responses containing the string 'SUCCESSFULLY UPLOADED FILES!' from the target servlets, indicating a successful malicious file upload.
  • Monitor for subsequent GET requests to /dcm-client/*.jsp immediately after a POST to the FileUploadController endpoints, indicating payload execution of an uploaded JSP webshell.
  • ·The exploit targets port 80 by default, but the actual Brocade Network Advisor / EMC CMCNE deployment may run on a different port; detections should not be limited to port 80 alone.
  • ·The uploaded JSP filename is randomly generated (4–32 alphanumeric characters) per exploit run, so filename-based detections must use a pattern match (e.g., regex for random alphanum + .jsp in /dcm-client/) rather than a static filename.
  • ·Two distinct servlet endpoints are exploited across the two PoC modules (inmservlets/FileUploadController vs HttpFileUpload/FileUploadController.do); both must be covered in detection rules.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.