cbcvebase.
CVE-2016-5639
published 2016-08-03

CVE-2016-5639: Directory traversal vulnerability in cgi-bin/login.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to read…

PriorityP264high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
20.84%
97.2th percentile
Directory traversal vulnerability in cgi-bin/login.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
crestronairmedia_am-100_firmware<= 1.4.0.12

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow
path/cgi-bin/login.cgi
path/cgi-bin/login_rdtool.cgi
port5885
otherrdtool:mistral5885
otherroot:awind5885
pathsession01, session02
  • Detect path traversal attempts targeting /cgi-bin/login.cgi with a 'src' parameter containing dot-dot sequences (../) to read arbitrary files such as /etc/shadow.
  • Monitor for HTTP GET requests to /cgi-bin/login.cgi where the 'src' query parameter contains repeated '../' sequences indicative of directory traversal.
  • Alert on any HTTP access to the hidden management endpoint /cgi-bin/login_rdtool.cgi, which exposes file upload and telnet enablement capabilities.
  • Monitor for unexpected telnet connections on port 5885, which can be enabled via the hidden rdtool management interface (RD Debug mode).
  • Inspect session files on the filesystem (session01, session02, etc.) for cleartext credential exposure, which may indicate post-exploitation activity.
  • ·Vulnerability affects firmware versions v1.1.1.11 through v1.2.1; devices running firmware 1.4.0.13 or later are not affected by the path traversal.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.