CVE-2014-9605
published 2015-09-04CVE-2014-9605: WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup…
PriorityP260critical9.4CVSS 2.0
AVNACLAuNCCINAC
EXPLOIT
EPSS
3.94%
89.1th percentile
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netsweeper | netsweeper | >= 3.1.0 < 3.1.10 | 3.1.10 |
| netsweeper | netsweeper | >= 4.0.0 < 4.0.9 | 4.0.9 |
| netsweeper | netsweeper | >= 4.1.0 < 4.1.2 | 4.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /webupgrade/webupgrade.php containing a single-quote (') in both the login and password parameters, which is the authentication bypass trigger. ↗
- →Alert on POST requests to /webupgrade/webupgrade.php with step=12 and restart=yes, indicating an attacker attempting to restart the server post-authentication bypass. ↗
- →Alert on POST requests to /webupgrade/webupgrade.php with step=9 and stopservices=yes, indicating an attacker attempting to stop content filtering services. ↗
- →Monitor for unexpected creation or download of system backup tarball files from the Netsweeper server, as exploitation can expose /etc, /usr, and /var directory contents. ↗
- ·The vulnerability was originally reported as SQL injection but may not be a true SQL injection; the bypass is triggered by single-quote characters in login/password fields, possibly exploiting application logic rather than a SQL backend. ↗
- ·Affected versions include Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2; detections should be scoped to these versions and the /webupgrade/ endpoint. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://helpdesk.netsweeper.com/docs/3.1/release_notes/netsweeper_releasenotes/3_1_10_0_release_notes/3.1.10_release_notes.htmhttps://helpdesk.netsweeper.com/docs/4.0/release_notes/netsweeper_releasenotes/4_0_9_release_notes/4.0.9_release_notes.htmhttps://helpdesk.netsweeper.com/docs/4.1/release_notes/netsweeper_releasenotes/4_1_release_notes/4_1_2_release_notes/4.1.2_release_notes.htmhttps://www.exploit-db.com/exploits/37928/https://helpdesk.netsweeper.com/docs/3.1/release_notes/netsweeper_releasenotes/3_1_10_0_release_notes/3.1.10_release_notes.htmhttps://helpdesk.netsweeper.com/docs/4.0/release_notes/netsweeper_releasenotes/4_0_9_release_notes/4.0.9_release_notes.htmhttps://helpdesk.netsweeper.com/docs/4.1/release_notes/netsweeper_releasenotes/4_1_release_notes/4_1_2_release_notes/4.1.2_release_notes.htmhttps://www.exploit-db.com/exploits/37928/
2015-09-04
Published