CVE-2016-9269
published 2017-02-21CVE-2016-9269: Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version…
PriorityP272critical9.9CVSS 3.0
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
13.42%
96.0th percentile
Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to run arbitrary commands on the system as root via Patch Update functionality. This was resolved in Version 6.5 CP 1737.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendmicro | interscan_web_security_virtual_appliance | <= 6.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /servlet/com.trend.iwss.gui.servlet.ManagePatches?action=upload on port 1812 from low-privileged user sessions, as this is the direct exploitation endpoint for CVE-2016-9269 RCE. ↗
- →Alert on uploads of files named 'stargate_patch.tgz' or 'startgate_patch_apply.sh' to the IWSVA management interface, as these are the weaponized patch artifacts used in exploitation. ↗
- →Detect outbound reverse shell connections from the IWSVA appliance, particularly on port 443, initiated after a patch upload action. ↗
- →Monitor POST requests to /servlet/com.trend.iwss.gui.servlet.updateaccountadministration with accountop=review or accountop=add from low-privileged sessions, indicating privilege escalation attempts (CVE-2016-9315). ↗
- →Inspect the pkg_name parameter in ConfigBackup download requests for path traversal or CRLF injection sequences (e.g., %0D%0A), as seen in the exploit PoC. ↗
- ·The vulnerability affects IWSVA version 6.5-SP2_Build_Linux_1707 and earlier; it was resolved in Version 6.5 CP 1737. Detection rules should be scoped to unpatched appliances running builds prior to 1737. ↗
- ·Exploitation requires an authenticated session (at minimum a least-privileged 'report-only' user). Detection should correlate the JSESSIONID cookie with the privilege level of the authenticated account making the ManagePatches upload request. ↗
- ·The management console exclusively runs on port 1812; network-level detections and firewall rules should restrict access to this port to trusted administrator IPs only. ↗
CVSS provenance
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-02-21
Published