cbcvebase.
CVE-2015-9098
published 2017-06-22

CVE-2015-9098: In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.19%
96.1th percentile
In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these machines using an account with SQL admin privileges, then code execution on the operating system can result in full system compromise (if Microsoft SQL Server is running with local administrator privileges).

Affected

3 ranges
VendorProductVersion rangeFixed in
red-gatesql_monitor<= 3.5
red-gatesql_monitor
red-gatesql_monitor

Detection & IOCsextracted from sources · hover to see the quote

urlftp://support.red-gate.com/patches/SqlMonitorWeb/09Apr2015/SQLMonitorWeb.exe
path/static/4.1.0.2226/Content/RedGate.Response.css
  • Fingerprint vulnerable SQL Monitor versions by inspecting the login page HTML source for versioned static asset paths matching the pattern /static/<version>/Content/RedGate.Response.css
  • Detect exploitation attempts by monitoring for unauthenticated Base Monitor connection changes via the 'Configuration / Base Monitor connection' endpoint, particularly POST requests that update the Base Monitor IP/port without a prior authenticated session.
  • Alert on T-SQL execution of xp_cmdshell enablement sequence (sp_configure 'xp_cmdshell') originating from the SQL Monitor Base Monitor service account, as this is the post-exploitation OS command execution path.
  • Look for error messages in SQL Monitor responses containing 'Unable to convert' alongside 'The command completed successfully', which indicates successful xp_cmdshell execution via the exploit.
  • ·Exploitation is only possible if the Base Monitor port is network-accessible to the attacker; restricting network access to the Base Monitor port mitigates unauthenticated access.
  • ·Full OS compromise via xp_cmdshell only occurs if the Base Monitor connects to SQL Server with SQL admin privileges AND SQL Server runs under a Windows local administrator account — both conditions must be true.
  • ·Affected versions are SQL Monitor before 3.10 and 4.x before 4.2; the vendor released a fix over two years before this exploit was published (April 2015).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.