CVE-2015-8261
published 2016-01-08CVE-2015-8261: The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.55%
87.9th percentile
The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | whatsup_gold | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandstuff'; END TRANSACTION; ATTACH DATABASE 'C:\Program Files (x86)\Ipswitch\WhatsUp\HTML\NmConsole\shell.asp' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('%s');--↗
- →Detect inbound SOAP POST requests to /iDrone/iDroneComAPI.asmx with SOAPAction header containing 'DroneDeleteOldMeasurements' ↗
- →Alert on SQL injection patterns in SOAP body targeting DroneDeleteOldMeasurements, specifically 'END TRANSACTION' combined with 'ATTACH DATABASE' — indicative of SQLite-based webshell drop technique ↗
- →Monitor for creation of shell.asp under the WhatsUp Gold NmConsole web directory (C:\Program Files (x86)\Ipswitch\WhatsUp\HTML\NmConsole\) ↗
- →Detect HTTP GET requests to /NmConsole/shell.asp with a 'cmd' query parameter, indicating post-exploitation webshell access ↗
- →Flag requests using the specific User-Agent 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)' to WhatsUp Gold endpoints, as this is the hardcoded exploit UA ↗
- →The exploit requires no authentication; monitor for unauthenticated SOAP requests to iDroneComAPI.asmx from external IPs ↗
- ·The SQLite ATTACH DATABASE webshell-drop technique writes shell.asp to the hardcoded path for a 32-bit (x86) installation; the path will differ on 64-bit or non-default installs ↗
- ·Vulnerability affects WhatsUp Gold versions before 16.4; the exploit was tested specifically on 16.3.x on Windows 7 x86 ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2016-01-08
Published