cbcvebase.
CVE-2014-9605
published 2015-09-04

CVE-2014-9605: WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup…

PriorityP260critical9.4CVSS 2.0
AVNACLAuNCCINAC
EXPLOIT
EPSS
3.94%
89.1th percentile
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate.

Affected

3 ranges
VendorProductVersion rangeFixed in
netsweepernetsweeper>= 3.1.0 < 3.1.103.1.10
netsweepernetsweeper>= 4.0.0 < 4.0.94.0.9
netsweepernetsweeper>= 4.1.0 < 4.1.24.1.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://netsweeper/webupgrade/webupgrade.php
path/webupgrade/webupgrade.php
commandPOST: step=&login='&password='&show_advanced_output=
commandPOST: step=12&login='&password='&show_advanced_output=
commandPOST: step=12&restart=yes&show_advanced_output=false
commandPOST: step=9&stopservices=yes&show_advanced_output=
  • Detect POST requests to /webupgrade/webupgrade.php containing a single-quote (') in both the login and password parameters, which is the authentication bypass trigger.
  • Alert on POST requests to /webupgrade/webupgrade.php with step=12 and restart=yes, indicating an attacker attempting to restart the server post-authentication bypass.
  • Alert on POST requests to /webupgrade/webupgrade.php with step=9 and stopservices=yes, indicating an attacker attempting to stop content filtering services.
  • Monitor for unexpected creation or download of system backup tarball files from the Netsweeper server, as exploitation can expose /etc, /usr, and /var directory contents.
  • ·The vulnerability was originally reported as SQL injection but may not be a true SQL injection; the bypass is triggered by single-quote characters in login/password fields, possibly exploiting application logic rather than a SQL backend.
  • ·Affected versions include Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2; detections should be scoped to these versions and the /webupgrade/ endpoint.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.