CVE-2016-10043
published 2017-01-31CVE-2016-10043: An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command…
PriorityP267critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
9.53%
94.8th percentile
An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands and retrieve the output in the application's responses. Attackers could execute unauthorized commands, which could then be used to disable the software, or read, write, and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner (apache user).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mrf | web_panel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /swms/ms.cgi for the MSM_MACRO_NAME parameter containing pipe characters (|) used to chain OS commands. ↗
- →Detect the specific injection pattern in POST body: MSM_MACRO_NAME value containing '|||' sequences or URL-encoded equivalents (%7C%7C%7C), particularly combined with comment characters (#) and quote characters. ↗
- →Alert on POST requests to /swms/ms.cgi where MSM_MACRO_INPUT=-EXECUTE, as this triggers execution of the injected command payload. ↗
- →Commands injected via this vulnerability execute as the apache user; monitor for unexpected process spawning from the apache/httpd process, particularly shell commands originating from ms.cgi. ↗
- ·The vulnerability is confirmed only against version 9.0.1 of Radisys MRF Web Panel (SWMS); other versions are not explicitly confirmed affected. ↗
- ·Exploitation requires authentication — the attacker must first log in with at least a standard user account before injecting commands via the POST parameter. ↗
- ·The verified affected operations are specifically 'Show Fatal Error' and 'Log Package Configuration'; other operations may or may not be exploitable via the same parameter. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-01-31
Published