cbcvebase.
CVE-2016-9684
published 2017-02-22

CVE-2016-9684: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.06%
93.4th percentile
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'viewcert' CGI (/cgi-bin/viewcert) component responsible for processing SSL certificate information. The CGI application doesn't properly escape the information it's passed in the 'CERT' variable before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account.

Affected

1 ranges
VendorProductVersion rangeFixed in
dellsonicwall_secure_remote_access_server

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/viewcert
path/cgi-bin/userLogin
port443
cookieswap=<token>
commandbuttontype=delete&CERT=newcert-1`<cmd>`
path/tmp/qq
commandchmod +x /tmp/qq; sh /tmp/qq
path/tmp/n
path/tmp/m
version8.1.0.2-14sv
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/viewcert"; fast_pattern; http.request_body; content:"CERT|3d|"; pcre:"/^[^\x26\x0d\x0a]*?[\x3b\x60\x7c]/R"; reference:url,www.exploit-db.com/exploits/42343; reference:cve,2016-9684; classtype:web-application-attack; sid:2061547; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_14, cve CVE_2016_9684, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect POST requests to /cgi-bin/viewcert containing the CERT parameter with shell metacharacters (backtick, semicolon, pipe) immediately following the value — the injection point used by the exploit.
  • The Snort/Suricata rule matches on POST to /cgi-bin/viewcert with body containing 'CERT=' (CERT|3d|) followed by shell injection characters (0x3b=;, 0x60=`, 0x7c=|) via PCRE, requiring TLS decryption for encrypted traffic.
  • The exploit first authenticates via POST to /cgi-bin/userLogin and extracts a 'swap' session cookie, which is then used to authorize the injection request to /cgi-bin/viewcert. Correlate login events with subsequent viewcert POST requests.
  • Payload staging writes ELF binaries or shell scripts to /tmp/ (paths /tmp/m, /tmp/n, /tmp/qq) and executes them with chmod +rx. Monitor for file creation and execution in /tmp/ by the 'nobody' user.
  • The exploit uses a hardcoded User-Agent string 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0' for the login phase; correlate this UA with POST requests to SonicWall SRA admin CGI endpoints.
  • ·Exploitation is post-authentication — valid credentials (default username 'admin') are required before the injection can be triggered. Ensure authentication logging is enabled to detect brute-force or credential-stuffing attempts preceding exploitation.
  • ·The Snort/Suricata rule (sid:2061547) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect the POST body, as the SRA appliance listens on port 443. Without SSL inspection the rule will not fire.
  • ·Successful exploitation yields a shell running as the 'nobody' user, not root — however the exploit also attempts privilege escalation via 'sudo /bin/rm' and chmod operations, suggesting sudo misconfiguration may be present on vulnerable appliances.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.