cbcvebase.
CVE-2016-9315
published 2017-02-21

CVE-2016-9315: Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA)…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
8.98%
94.6th percentile
Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to change Master Admin's password and/or add new admin accounts. This was resolved in Version 6.5 CP 1737.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendmicrointerscan_web_security_virtual_appliance<= 6.5

Detection & IOCsextracted from sources · hover to see the quote

url/servlet/com.trend.iwss.gui.servlet.updateaccountadministration
port1812
commandCSRFGuardToken=&accountop=review&allaccount=admin&allaccount=hacker2&allaccount=hacker4&allaccount=hacker&allaccount=test&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=abc123&PASS2=abc123&description=Master+Administrator&role_select=0&roleid=0
commandCSRFGuardToken=&accountop=add&allaccount=admin&accountType=local&accountnamelocal=hacker&accounttype=0&password_changed=true&PASS1=pass1234&PASS2=pass1234&description=hackerUser&role_select=1&roleid=1
  • Monitor for POST requests to /servlet/com.trend.iwss.gui.servlet.updateaccountadministration on port 1812 from non-admin (low-privileged) session tokens, especially with parameters accountop=review (password change) or accountop=add (new admin creation).
  • Detect POST body containing 'password_changed=true' combined with 'accountop=review' and 'accountname=admin' targeting the updateaccountadministration servlet — indicative of Master Admin password reset by low-privileged user.
  • Detect POST body containing 'accountop=add' with 'accounttype=0' (Master Admin role) to the updateaccountadministration servlet from a low-privileged session — indicative of unauthorized admin account creation.
  • Alert on any HTTP request to the IWSVA management console (port 1812) from unexpected or external source IPs, particularly targeting servlet endpoints.
  • ·The vulnerability affects IWSVA version 6.5-SP2_Build_Linux_1707 and earlier in the 6.5.x series; older versions may also be affected. The fix was released in Version 6.5 CP 1737.
  • ·Exploitation requires an authenticated session (least-privileged user); the attacker must supply a valid JSESSIONID and CSRFGuardToken from their own low-privileged session.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.