cbcvebase.
CVE-2016-7786
published 2017-04-07

CVE-2016-7786: Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated…

PriorityP261high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.98%
93.3th percentile
Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated by a request for Licenseinformation.jsp. This is fixed in 10.6.5.

Affected

1 ranges
VendorProductVersion rangeFixed in
sophoscyberoam_cr25ing_utm_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/corporate/webpages/dashboard/LicenseInformation.jsp
path/corporate/webpages/dashboard/ApplianceInformation.jsp
path/corporate/webpages/dashboard/IPSRecentAlerts.jsp
path/corporate/webpages/dashboard/HTTPVirusDetected.jsp
  • Detect unauthenticated or low-privileged direct GET requests to sensitive dashboard JSP endpoints under /corporate/webpages/dashboard/ — particularly LicenseInformation.jsp, ApplianceInformation.jsp, IPSRecentAlerts.jsp, and HTTPVirusDetected.jsp — which should only be accessible to admin-level users.
  • Look for HTTP 200 responses to GET requests for /corporate/webpages/dashboard/*.jsp from sessions belonging to low-privileged users, indicating successful IDOR/direct object reference exploitation.
  • Flag requests to dashboard JSP pages that include the X-Requested-With: XMLHttpRequest header but originate from non-admin session contexts, as the PoC uses AJAX-style requests to bypass access controls.
  • ·The exploit requires the attacker to be authenticated (at least as a low-privileged user); purely unauthenticated access is not demonstrated. Detection rules should account for authenticated sessions with insufficient privilege.
  • ·Many additional dashboard JSP URLs beyond the three listed are reportedly affected ('...Many others...'), so detection coverage should extend to the entire /corporate/webpages/dashboard/ path, not just the named files.
  • ·Upgrading to version 10.6.5 eliminates this vulnerability; detections are relevant only for devices running 10.6.3 MR-5 or earlier.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.