cbcvebase.
CVE-2016-1560
published 2017-04-21

CVE-2016-1560: ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.29%
99.4th percentile
ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session.

Affected

8 ranges
VendorProductVersion rangeFixed in
exagridex10000e_firmware
exagridex13000e_firmware
exagridex21000e_firmware
exagridex3000_firmware
exagridex32000e_firmware
exagridex40000e_firmware
exagridex5000_firmware
exagridex7000_firmware

Detection & IOCsextracted from sources · hover to see the quote

otherinflection
other-----BEGIN RSA PRIVATE KEY----- MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10 hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk 86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg== -----END RSA PRIVATE KEY-----
command/bin/bash -i
  • Detect SSH login attempts to ExaGrid appliances using username 'root' with password 'inflection' — the hardcoded default credential for the root shell account.
  • Detect SSH authentication attempts using the known ExaGrid backdoor RSA private key (fingerprint derivable from the embedded key_data). Any successful SSH login to an ExaGrid appliance via this key should be treated as a compromise indicator.
  • Alert on SSH sessions to ExaGrid appliances (port 22) that spawn an interactive bash shell (/bin/bash -i) immediately after authentication, which is the post-exploitation pattern used by the Metasploit module.
  • Monitor HTTP/web interface login attempts to ExaGrid appliances using the username 'support' — the hardcoded default credential for the web support account.
  • ·Affected firmware versions are strictly before 4.8 P26. Appliances running 4.8 P26 or later are not vulnerable to this default credential issue.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.