cbcvebase.
CVE-2015-2995
published 2015-06-08

CVE-2015-2995: The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary…

PriorityP260medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
33.79%
98.2th percentile
The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file.

Affected

1 ranges
VendorProductVersion rangeFixed in
sysaidsysaid<= 15.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated POST requests to the RdsLogsEntry servlet path (/sysaid/rdslogs) — no authentication is required to upload files.
  • Alert on POST requests to /sysaid/rdslogs containing a 'rdsName' query parameter with a null byte (\x00 / %00) in the filename, especially with a .war extension before the null byte.
  • Detect path traversal sequences (e.g., '../../../../') in the rdsName parameter of requests to the rdslogs servlet.
  • Monitor for new .war files appearing in the Tomcat webapps directory (tomcat/webapps/) as a post-exploitation indicator of successful WAR deployment.
  • A Content-Type of 'application/octet-stream' or 'application/xml' on POST requests to /sysaid/rdslogs with Zlib-deflated body is characteristic of this exploit.
  • After WAR upload, watch for GET requests to a newly created random-named application path on the same server — this is the payload trigger step.
  • ·The null-byte injection technique only works on Java 6 or Java 7 up to 7u25; Java 7u40 and above patches null byte injection in file names, making the exploit ineffective on those JVM versions.
  • ·Windows SysAid installations are practically unexploitable because SysAid bundles Java 7u40+ with its Windows package, which blocks null byte injection.
  • ·The exploit requires a preliminary request to create the upload directory before the WAR upload will succeed.
  • ·Affected versions are SysAid Help Desk v14.3 and v14.4 (specifically confirmed on v14.3.12 b22 and v14.4.32 b25); the vulnerability is fixed in version 15.2 and later.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.