cbcvebase.
CVE-2016-1524
published 2016-02-13

CVE-2016-1524: Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java…

PriorityP183critical9.6CVSS 3.0
AVAACLPRNUINSCCHIHAH
EXPLOIT
EPSS
94.10%
99.8th percentile
Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgearprosafe_network_management_software_300<= 1.5.0.11

Detection & IOCsextracted from sources · hover to see the quote

url/data/config/image.do?method=add
url/data/getPage.do?method=getPageList&type=configImgManager
url/data/config/image.do?method=export&imageId=
path/data/config/image.do
path/data/getPage.do
commandrealName=../../../../../../../../../../
port8080
  • Detect POST requests to /data/config/image.do?method=add containing path traversal sequences (../../) in the realName parameter, indicating exploitation of CVE-2016-1524 arbitrary file download.
  • Detect GET requests to /data/config/image.do?method=export&imageId= on port 8080, which is the final step to exfiltrate a file via the path traversal vulnerability.
  • Detect POST requests to /data/getPage.do?method=getPageList&type=configImgManager, used by attackers to enumerate imageId values for subsequent file download exploitation.
  • ·CVE-2016-1524 (arbitrary file download) requires authentication, whereas the related CVE-2016-1525 (arbitrary file upload/RCE) does not. Detections for the download path should account for authenticated sessions.
  • ·Affected versions confirmed in testing are NMS300 1.5.0.11, 1.5.0.2, 1.4.0.17, and 1.1.0.13; scope detections accordingly.
  • ·NMS300 runs on Windows and the file download vulnerability allows retrieval of any file accessible to the SYSTEM user, making credential/config files high-value targets.
  • ·No fix was available at time of disclosure; vendor guidance was to not expose NMS300 to the Internet or untrusted networks.

CVSS provenance

nvdv3.09.6CRITICALCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.