cbcvebase.
CVE-2014-5073
published 2014-08-29

CVE-2014-5073: vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the…

PriorityP278high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.45%
99.4th percentile
vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the fileDate parameter in a DOWN call.

Affected

3 ranges
VendorProductVersion rangeFixed in
vmturbooperations_manager<= 4.6
vmturbooperations_manager
vmturbooperations_manager

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/vmtadmin.cgi
commandGET /cgi-bin/vmtadmin.cgi?callType=ACTION&actionType=VERSIONS
  • Detect exploitation attempts by monitoring HTTP GET requests to /cgi-bin/vmtadmin.cgi with callType=DOWN and actionType=CFGBACKUP, especially where the fileDate parameter contains shell metacharacters such as backticks or backtick-wrapped command strings.
  • Fingerprint vulnerable VMTurbo instances by sending a GET request to /cgi-bin/vmtadmin.cgi?callType=ACTION&actionType=VERSIONS and parsing the response for the pattern vmtbuild:<digits>,vmtrelease:<version>,vmtbits:<digits>,osbits:<digits>; versions prior to 4.6 build 28657 are vulnerable.
  • The vulnerability is a blind OS command injection — no command output is returned in the HTTP response. Detection should rely on out-of-band indicators (e.g., unexpected outbound connections, DNS lookups, or new processes spawned by the CGI process) rather than response content inspection.
  • The exploit requires no authentication. Any unauthenticated HTTP GET to the vulnerable endpoint with a crafted fileDate parameter should be treated as a high-confidence attack indicator.
  • ·The Metasploit module uses a printf-based CmdStager (flavor: printf) to stage ELF payloads onto the target; detection rules should account for sequences of short printf commands written to a temp path followed by a chmod/exec sequence.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.