cbcvebase.
CVE-2014-3789
published 2014-05-22

CVE-2014-3789: GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary commands via unspecified vectors.

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.19%
99.1th percentile
GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary commands via unspecified vectors.

Affected

12 ranges
VendorProductVersion rangeFixed in
cogentdatahubcogent_datahub<= 7.3.4
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub

Detection & IOCsextracted from sources · hover to see the quote

path/Silverlight/GetPermissions.asp
pathC:\Program files (x86)\Cogent\Cogent DataHub\require\AJAXSupport.g
  • Monitor HTTP POST requests to /Silverlight/GetPermissions.asp with a `password` parameter containing parentheses, backslashes, or `load_plugin` strings, which indicate injection attempts against the datahub_command function.
  • Detect WebDAV traffic (OPTIONS, PROPFIND methods) originating from or directed to the Cogent DataHub host, as the exploit uses a WebDAV server to serve the malicious DLL payload.
  • Alert on HTTP 200 responses from /Silverlight/GetPermissions.asp containing the string `PermissionRecord`, which confirms the vulnerable endpoint is reachable and responding.
  • Detect UNC path patterns (double-backslash host references) in the `password` POST parameter to /Silverlight/GetPermissions.asp, indicating an attempt to load a remote DLL via SMB/WebDAV.
  • Monitor for the presence or modification of AJAXSupport.g on the DataHub host filesystem, as exploitation of the related code injection vector depends on this Gamma script file.
  • ·The CISA advisory ICSA-14-198-01 clarifies that while the trigger is remote (POST to ASP page), the attacker must first have write access to the target filesystem to place a Gamma script file for execution — pure remote-only detections may miss the prerequisite write-access stage.
  • ·After successful exploitation the remote DataHub service is likely to hang and require manual restart, which can serve as a post-exploitation indicator.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.