cbcvebase.
CVE-2016-1525
published 2016-02-13

CVE-2016-1525: Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read…

PriorityP272high8.6CVSS 3.0
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
75.01%
99.4th percentile
Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgearprosafe_network_management_software_300

Detection & IOCsextracted from sources · hover to see the quote

url/lib-1.0/external/flash/fileUpload.do
url/fileUpload.do
url/data/config/image.do
url/data/getPage.do?method=getPageList&type=configImgManager
url/data/config/image.do?method=export&imageId=
port8080
pathnull[name].[extension]
commandrealName=../../../../../../../../../../
  • Detect unauthenticated POST requests to /lib-1.0/external/flash/fileUpload.do or /fileUpload.do with multipart/form-data content containing a .jsp filename — indicates arbitrary JSP file upload exploitation attempt.
  • Uploaded JSP webshells will be accessible at the web root with a 'null' prefix in the filename (e.g., /null<name>.jsp). Monitor HTTP GET requests matching the pattern /null*.jsp on port 8080.
  • Detect POST requests to /data/config/image.do?method=add containing dot-dot sequences (../) in the realName parameter — indicates directory traversal / arbitrary file download exploitation (CVE-2016-1524).
  • A GET request to /fileUpload.do returning HTTP 405 is used by the Metasploit module as a check to confirm the target is a vulnerable NMS300 instance.
  • ·The file upload vulnerability (CVE-2016-1525) is unauthenticated; the directory traversal / file download vulnerability (CVE-2016-1524) requires authentication. These are two distinct vulnerabilities often chained together.
  • ·Affected versions confirmed in exploit PoC are NMS300 1.5.0.11, 1.5.0.2, 1.4.0.17, and 1.1.0.13. The Metasploit module also tested against 1.7.0.12 and 1.7.0.1.
  • ·The NMS300 application runs on Windows and the uploaded JSP payload executes as the SYSTEM user, meaning successful exploitation yields full system compromise.

CVSS provenance

nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.