cbcvebase.
CVE-2016-9682
published 2017-02-22

CVE-2016-9682: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in its web administrative…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.30%
97.5th percentile
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in its web administrative interface. These vulnerabilities occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile' or 'currentTSREmailTo' variables before making a call to system(), allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account.

Affected

1 ranges
VendorProductVersion rangeFixed in
dellsonicwall_secure_remote_access_server

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/diagnostics
url/cgi-bin/diagnostics?tsrEmailCurrent=true&currentTSREmailTo=|date>/tmp/xort||a%20%23
url/cgi-bin/diagnostics?tsrDeleteRestarted=true&tsrDeleteRestartedFile=|date>/tmp/xort2||a%20%23
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SRA diagnostics CGI Command Injection (CVE-2016-9682) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/diagnostics|3f|"; content:"currentTSREmailTo|3d|"; fast_pattern; pcre:"/^[^\x26\x0d\x0a]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.exploit-db.com/exploits/42342; reference:cve,2016-9682; classtype:web-application-attack; sid:2061548; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_14, cve CVE_2016_9682, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SRA diagnostics CGI Command Injection (CVE-2016-9682) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/diagnostics|3f|"; content:"tsrDeleteRestartedFile|3d|"; fast_pattern; pcre:"/^[^\x26\x0d\x0a]*?[\x3b\x60\x7c\x24]/R"; reference:url,www.exploit-db.com/exploits/42342; reference:cve,2016-9682; classtype:web-application-attack; sid:2061549; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_14, cve CVE_2016_9682, deployment Perimeter, deployment Internal, deployment SSLDecrypt, signature_severity Major, tag Exploit, updated_at 2025_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect GET requests to /cgi-bin/diagnostics containing the 'currentTSREmailTo' parameter with shell metacharacters (;, `, |, $) indicative of command injection (Exploit #1 / M1).
  • Detect GET requests to /cgi-bin/diagnostics containing the 'tsrDeleteRestartedFile' parameter with shell metacharacters (;, `, |, $) indicative of command injection (Exploit #2 / M2).
  • Exploitation results in command execution as the 'nobody' user account; look for unexpected processes spawned under 'nobody' on SonicWall SRA appliances.
  • Attacker-controlled pipe characters (|) in the 'currentTSREmailTo' or 'tsrDeleteRestartedFile' URL parameters are the primary injection vector; monitor for these in HTTP logs.
  • Snort/Suricata rules require TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect the URI, as the SRA interface is HTTPS.
  • ·The vulnerability was confirmed only against version 8.1.0.2-14sv (fully updated at time of testing); applicability to other versions is unconfirmed.
  • ·Network-based detection rules (ET sid:2061548/2061549) require SSL/TLS inspection to be enabled, as the administrative interface operates over HTTPS.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.