cbcvebase.
CVE-2016-7547
published 2017-04-12

CVE-2016-7547: A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
92.72%
99.8th percentile
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendmicrothreat_discovery_appliance

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/admin_sys_time.cgi
othertimezone (CGI parameter used for command injection)
  • Monitor HTTP requests to admin_sys_time.cgi containing shell metacharacters (e.g., ;, |, $(), backticks) in the 'timezone' POST/GET parameter, which is the injection point for CVE-2016-7547.
  • Detect DELETE or GET requests to logoff.cgi as a precursor authentication-bypass step (CVE-2016-7552) that resets the admin password to 'admin', often chained before exploitation of CVE-2016-7547.
  • Alert on repeated heartbeat/polling HTTP requests to the appliance followed by a login attempt with default credentials ('admin'/'admin') and subsequent POST to admin_sys_time.cgi — this matches the Metasploit module's exploitation sequence.
  • ·The authentication bypass (CVE-2016-7552) requires a device reboot to take effect; exploitation of CVE-2016-7547 alone is possible if valid credentials are already known, meaning the auth-bypass chain is optional.
  • ·The Metasploit module and CVE are confirmed only against Trend Micro Threat Discovery Appliance version 2.6.1062r1; detection rules should be scoped to that specific appliance version.
  • ·The password reset via logoff.cgi file-delete may cause legitimate admin lockout, which could be mistaken for a benign misconfiguration rather than an active attack precursor.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.