cbcvebase.
CVE-2015-7709
published 2015-10-05

CVE-2015-7709: The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute…

PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.97%
99.5th percentile
The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute arbitrary commands via a series of crafted requests involving the ARKFS_EXEC_CMD operation.

Affected

1 ranges
VendorProductVersion rangeFixed in
arkeiawestern_digital_arkeia<= 11.0.12

Detection & IOCsextracted from sources · hover to see the quote

port617
commandARKFS_EXEC_CMD
processarkeiad
bytes
\x00\x41 + \x00*5 + \x73 + \x00*12 + \xc0\xa8\x02\x74 + \x00*56 + \x74\x02\xa8\xc0 + ARKADMIN\x00root\x00root\x00*3 + 4.3.0-1 + \x00*11
bytes
\x00\x41\x00\x00\x00\x00\x00\x70 + \x00*12 + \xc0\xa8\x02\x8a + \x00*56 + \x8a\x02\xa8\xc0 + ARKFS\x00root\x00root\x00*3 + 4.3.0-1 + \x00*11
bytes
\x00\x62\x00\x01\x00\x02\x00\x1b + ARKFS_EXEC_CMD + \x00\x31 + \x00*11
  • Monitor TCP port 617 for connections to the arkeiad daemon; any unauthenticated connection followed by an ARKFS_EXEC_CMD operation is indicative of exploitation.
  • Detect the exploit handshake by looking for the byte sequence 'ARKFS_EXEC_CMD' in TCP port 617 traffic, preceded by the magic bytes \x00\x62\x00\x01\x00\x02\x00\x1b.
  • On Windows targets, look for a randomly named executable dropped to c:\ (8–16 random alpha chars + .exe) launched via Shell.Application ShellExecute, preceded by a PowerShell DownloadFile invocation — a pattern used by the exploit's Windows payload delivery.
  • Check for the client identifier strings 'ARKADMIN' or 'ARKFS' with username 'root' and client version string '4.3.0-1' in TCP/617 session initiation packets as a fingerprint of exploit tool usage.
  • The exploit targets both the Arkeia server and all backup clients; scan the entire environment for processes named 'arkeiad' listening on TCP/617, not just the backup server.
  • ·The exploit is cross-platform and achieves root/SYSTEM on Windows, Linux, OSX, FreeBSD, and OpenBSD; detection and response must account for all these platforms.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.