cbcvebase.
CVE-2015-2279
published 2017-07-25

CVE-2015-2279: cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.62%
96.8th percentile
cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or write_hdv parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
airlivebu-2015_firmware
airlivebu-3026_firmware
airlivemd-3025_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi_test.cgi
path/cgi-bin/mft/wireless_mft.cgi
urlhttp://<host>:8080/cgi_test.cgi?write_tan&;ls&ls%20-la
urlhttp://<host>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials
path/var/www/secret.passwd
path/opt/ipnc/info_writer
commandwrite_tan&;ls&ls%20-la
  • Monitor HTTP requests to cgi_test.cgi containing shell metacharacters (semicolons, pipes, etc.) after an ampersand in the write_mac, write_pid, write_msn, write_tan, or write_hdv parameters — these indicate exploitation attempts of CVE-2015-2279.
  • The CGI endpoint cgi_test.cgi requires no authentication by default (only blocked if HTTPS-only mode is explicitly configured), making it directly accessible to unauthenticated remote attackers.
  • Detect exploitation of wireless_mft.cgi by monitoring for requests using the hard-coded credentials (manufacture/erutcafunam) combined with shell metacharacters in the 'ap' parameter.
  • Alert on HTTP requests to /credentials on AirLive camera web servers, which may indicate an attacker has already exfiltrated the Base64-encoded credential file via the wireless_mft.cgi injection.
  • The injection payload uses a semicolon after the ampersand symbol to chain OS commands; pattern-match on URL query strings containing '&;' targeting these CGI endpoints.
  • The vulnerable device typically exposes the CGI on port 8080; monitor for exploitation attempts on that port targeting cgi_test.cgi.
  • ·Injection via cgi_test.cgi parameters is length-constrained per parameter; for example, write_pid checks that the value length equals 9 characters, limiting but not preventing exploitation.
  • ·The cgi_test.cgi vulnerability is only blocked if the camera is explicitly configured to require HTTPS for all communications, which is NOT the default setting.
  • ·Other AirLive devices beyond the tested models (BU-2015, BU-3026, MD-3025, WL-2000CAM, POE-200CAM v2) may also be affected but were not verified.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.