cbcvebase.
CVE-2016-0861
published 2016-02-05

CVE-2016-0861: General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands…

PriorityP268high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.24%
96.1th percentile
General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
geups_snmp_web_adapter_firmware<= 4.7

Detection & IOCsextracted from sources · hover to see the quote

command; cat /etc/shadow
  • Command injection via the Hostname/IP address input field on the GE UPS SNMP/Web Adapter — look for shell metacharacters (e.g. semicolons) injected into that parameter in HTTP requests to the device's web interface.
  • The injected command '; cat /etc/shadow' produces cleartext credential output including default accounts 'ge' and 'root123'; presence of these usernames in device responses is a strong indicator of exploitation.
  • Exploitation requires authenticated access (low-privilege user sufficient); monitor for authenticated sessions followed by anomalous command-like strings in web form fields targeting GE SNMP/Web Interface adapters running firmware prior to 4.8.
  • ·Exploitation requires prior authentication; however, only low-privilege credentials are needed, making the bar for exploitation low.
  • ·Firmware fix (v4.8) only applies directly to product numbers 1024746, 1024747, 1024748, and 1024921; all other product numbers require a full hardware upgrade to accept the patched firmware.
  • ·Default/hardcoded accounts ('ge', 'root123') with home directory '/home/admin' are present on vulnerable devices; these should be treated as known-compromised credentials on any unpatched device.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
ghsa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.