cbcvebase.
CVE-2014-0780
published 2014-04-25

CVE-2014-0780: Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-06
Exploited in the wild
EPSS
74.55%
99.4th percentile
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.

Affected

1 ranges
VendorProductVersion rangeFixed in
indusoftweb_studio

Detection & IOCsextracted from sources · hover to see the quote

path////../../../../../../../../boot.ini
filename*.APP
  • Detect HTTP GET requests to NTWebServer (default port 80) containing repeated '../' sequences in the URI path, indicative of directory traversal attempts against InduSoft Web Studio.
  • Alert on HTTP 200 responses from NTWebServer where the response message contains 'Sending file', as the Metasploit module uses this string to confirm successful file retrieval.
  • Monitor for outbound retrieval of .APP files from the InduSoft Web Studio host, as these files may contain administrative credentials enabling follow-on remote code execution.
  • The traversal depth defaults to 10 levels (or configurable up to any depth); detection rules should match URIs with 8 or more consecutive '../' sequences targeting the NTWebServer process.
  • ·NTWebServer is a test/demonstration web server not intended for production use; its presence in a live environment is itself a misconfiguration that exposes this vulnerability.
  • ·The default traversal depth used by the Metasploit module is 10 levels, but the DEPTH option is configurable, meaning detection signatures relying on a fixed traversal depth may miss variants.
  • ·The default target file in the Metasploit module is 'boot.ini', but the FILE option is fully configurable, so defenders should not rely solely on detecting requests for specific filenames.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.