cbcvebase.
CVE-2015-7611
published 2016-06-07

CVE-2015-7611: Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.

PriorityP275high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
68.60%
99.3th percentile
Apache James Server 2.3.2, when configured with file-based user repositories, allows attackers to execute arbitrary system commands via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachejames_server

Detection & IOCsextracted from sources · hover to see the quote

port4555
port110
path../../../../../../../../etc/bash_completion.d
path../../../../../../../../etc/cron.d
commandadduser ../../../../../../../../etc/#{exploit_path} #{@account_password}
commanddeluser ../../../../../../../../etc/cron.d
  • Detect directory traversal usernames being created via the Apache James Remote Administration Tool on port 4555. Look for 'adduser' commands containing '../' sequences targeting /etc/cron.d or /etc/bash_completion.d.
  • Monitor SMTP traffic (port 25) for mail addressed to recipients containing directory traversal sequences (e.g., '../../../../../../../../etc/'), which is used to drop payload files into /etc/cron.d or /etc/bash_completion.d.
  • Alert on unexpected file creation events under /etc/bash_completion.d or /etc/cron.d originating from the Apache James mail server process, as these are the two exploitation paths used by this CVE.
  • Check for SMTP banner string 'JAMES SMTP Server' on port 25 combined with 'JAMES Remote Administration Tool' on port 4555 to identify exposed vulnerable instances.
  • Monitor POP3 (port 110) login attempts using usernames containing path traversal strings such as '../../../../../../../../etc/cron.d', which is used during the cleanup/delivery phase of exploitation.
  • ·This vulnerability only affects Apache James Server 2.3.2 instances configured with file-based user repositories. Servers using other repository types are not affected.
  • ·The cron exploitation method may not work on certain Linux distributions such as Ubuntu; the Bash Completion target may be more reliable in those environments.
  • ·The Bash Completion exploitation method requires bash completion to be enabled on the target system to achieve code execution.
  • ·The default credentials for the James Remote Administration Tool are root/root; exploitation relies on these defaults being unchanged.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.