CVE-2016-7786
published 2017-04-07CVE-2016-7786: Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated…
PriorityP261high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.98%
93.3th percentile
Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated by a request for Licenseinformation.jsp. This is fixed in 10.6.5.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | cyberoam_cr25ing_utm_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated or low-privileged direct GET requests to sensitive dashboard JSP endpoints under /corporate/webpages/dashboard/ — particularly LicenseInformation.jsp, ApplianceInformation.jsp, IPSRecentAlerts.jsp, and HTTPVirusDetected.jsp — which should only be accessible to admin-level users. ↗
- →Look for HTTP 200 responses to GET requests for /corporate/webpages/dashboard/*.jsp from sessions belonging to low-privileged users, indicating successful IDOR/direct object reference exploitation. ↗
- →Flag requests to dashboard JSP pages that include the X-Requested-With: XMLHttpRequest header but originate from non-admin session contexts, as the PoC uses AJAX-style requests to bypass access controls. ↗
- ·The exploit requires the attacker to be authenticated (at least as a low-privileged user); purely unauthenticated access is not demonstrated. Detection rules should account for authenticated sessions with insufficient privilege. ↗
- ·Many additional dashboard JSP URLs beyond the three listed are reportedly affected ('...Many others...'), so detection coverage should extend to the entire /corporate/webpages/dashboard/ path, not just the named files. ↗
- ·Upgrading to version 10.6.5 eliminates this vulnerability; detections are relevant only for devices running 10.6.3 MR-5 or earlier. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-04-07
Published