cbcvebase.
CVE-2015-2284
published 2015-03-24

CVE-2015-2284: userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6.5 HotFix1 allows remote attackers to gain privileges and execute arbitrary code via…

PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.21%
99.4th percentile
userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6.5 HotFix1 allows remote attackers to gain privileges and execute arbitrary code via unspecified vectors, related to client session handling.

Affected

1 ranges
VendorProductVersion rangeFixed in
solarwindsfirewall_security_manager<= 6.6.5

Detection & IOCsextracted from sources · hover to see the quote

url/fsm/userlogin.jsp
url/fsm/settings-new.jsp
url/fsm/login.jsp
port48080
port8080
cookieJSESSIONID
commandGET /fsm/userlogin.jsp?username=admin
commandPOST /fsm/settings-new.jsp?action=uploadFile
filename../../jsp/<random>.jsp
  • Detect authentication bypass attempt: monitor for GET requests to /fsm/userlogin.jsp containing a 'username' query parameter, which abuses the session.putValue API to set session attributes before authentication.
  • Detect exploitation of the file upload action: monitor for POST requests to /fsm/settings-new.jsp with query parameter action=uploadFile, especially with multipart/form-data content type containing a JSP file disguised as an XLS host list.
  • Detect path traversal in uploaded filename: look for filenames containing '../../jsp/' in multipart upload requests to settings-new.jsp, indicating an attempt to write a JSP webshell outside the intended upload directory.
  • Detect server-side error response indicating successful JSP payload upload: the server responds with a body containing 'java.lang.NoClassDefFoundError' when the JSP file is treated as XLS.
  • Detect FSM Change Advisor web interface exposure: the login page returns the string 'SolarWinds FSM Change Advisor' in the response body; monitor for external access to /fsm/login.jsp on ports 48080 or 8080.
  • ·The default attack port is 48080 (express install), but the Change Advisor service may also run on port 8080 depending on installation type. Detection rules should cover both ports.
  • ·The exploit hardcodes 'admin' as the username for the session attribute injection, as this account exists by default and cannot be deleted.
  • ·The uploaded JSP payload is dropped into the jsp/ subdirectory via path traversal and executed by a subsequent GET request to /fsm/<filename>.jsp; the payload runs under SYSTEM context.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.