cbcvebase.
CVE-2015-8261
published 2016-01-08

CVE-2015-8261: The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.55%
87.9th percentile
The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
progresswhatsup_gold

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>/iDrone/iDroneComAPI.asmx
urlhttp://<target>/NmConsole/shell.asp?cmd=whoami
pathC:\Program Files (x86)\Ipswitch\WhatsUp\HTML\NmConsole\shell.asp
filenameshell.asp
commandstuff'; END TRANSACTION; ATTACH DATABASE 'C:\Program Files (x86)\Ipswitch\WhatsUp\HTML\NmConsole\shell.asp' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('%s');--
otherSOAPAction: "http://iDrone.alertfox.com/DroneDeleteOldMeasurements"
  • Detect inbound SOAP POST requests to /iDrone/iDroneComAPI.asmx with SOAPAction header containing 'DroneDeleteOldMeasurements'
  • Alert on SQL injection patterns in SOAP body targeting DroneDeleteOldMeasurements, specifically 'END TRANSACTION' combined with 'ATTACH DATABASE' — indicative of SQLite-based webshell drop technique
  • Monitor for creation of shell.asp under the WhatsUp Gold NmConsole web directory (C:\Program Files (x86)\Ipswitch\WhatsUp\HTML\NmConsole\)
  • Detect HTTP GET requests to /NmConsole/shell.asp with a 'cmd' query parameter, indicating post-exploitation webshell access
  • Flag requests using the specific User-Agent 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)' to WhatsUp Gold endpoints, as this is the hardcoded exploit UA
  • The exploit requires no authentication; monitor for unauthenticated SOAP requests to iDroneComAPI.asmx from external IPs
  • ·The SQLite ATTACH DATABASE webshell-drop technique writes shell.asp to the hardcoded path for a 32-bit (x86) installation; the path will differ on 64-bit or non-default installs
  • ·Vulnerability affects WhatsUp Gold versions before 16.4; the exploit was tested specifically on 16.3.x on Windows 7 x86

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.