cbcvebase.
CVE-2016-1561
published 2017-04-21

CVE-2016-1561: ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH…

PriorityP273high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
74.26%
99.4th percentile
ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image.

Affected

8 ranges
VendorProductVersion rangeFixed in
exagridex10000e_firmware
exagridex13000e_firmware
exagridex21000e_firmware
exagridex3000_firmware
exagridex32000e_firmware
exagridex40000e_firmware
exagridex5000_firmware
exagridex7000_firmware

Detection & IOCsextracted from sources · hover to see the quote

other-----BEGIN RSA PRIVATE KEY----- MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10 hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk 86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg== -----END RSA PRIVATE KEY-----
port22/tcp
command/bin/bash -i
otherroot:inflection
path/root/.ssh/authorized_keys
  • Detect SSH authentication attempts to port 22 using the known ExaGrid RSA private key (MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10...) as root — a successful auth with this key indicates exploitation of CVE-2016-1561.
  • Alert on SSH login as 'root' with password 'inflection' to ExaGrid appliances on port 22 — this is the hardcoded default credential used as a fallback when key-based auth fails.
  • Monitor for interactive bash shell spawning (/bin/bash -i) immediately after SSH session establishment as root on ExaGrid appliances, which is the post-auth payload delivery mechanism.
  • Audit the authorized_keys file for root on ExaGrid appliances for the presence of the known shipped public key; its presence on unpatched firmware (before 4.8 P26) indicates a backdoor condition.
  • ·Exploitation requires knowledge of the private key, which is embedded in firmware images and the public Metasploit module — treat the key as fully public/compromised across all ExaGrid deployments.
  • ·The module falls back to password authentication with 'inflection' if key-based auth fails, meaning both CVE-2016-1561 (key) and CVE-2016-1560 (password) attack vectors are attempted in sequence.
  • ·Only ExaGrid appliances running firmware before version 4.8 P26 are vulnerable; patched appliances should have the shared key removed from root's authorized_keys.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.