cbcvebase.
CVE-2017-1092
published 2017-05-22

CVE-2017-1092: IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force…

PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.77%
99.5th percentile
IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390.

Affected

4 ranges
VendorProductVersion rangeFixed in
ibminformix_open_admin_tool
ibminformix_open_admin_tool
ibminformix_open_admin_tool
ibm_corporationinformix_servers

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Program Files (x86)\IBM Informix Software Bundle\OAT\Apache_2.2.22\htdocs\openadmin\services\welcome\welcomeService.php
pathC:\Program Files (x86)\IBM Informix Software Bundle\OAT\Apache_2.2.22\htdocs\openadmin\services\welcome\welcomeServer.php
pathC:\Program Files (x86)\IBM Informix Software Bundle\OAT\Apache_2.2.22\htdocs\openadmin\modules\login.php
url/openadmin/services/welcome/welcomeService.php
url/openadmin/conf/config.php
commandPOST /openadmin/services/welcome/welcomeService.php
commandGET /openadmin/conf/config.php?cmd=whoami
othereval($_POST['<cmd_param>'])
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS IBM Informix Open Admin PHP RCE Attempt Inbound (CVE-2017-1092)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/welcomeService.php"; http.request_body; content:"new_home_page>|22 3b|"; fast_pattern; reference:cve,2017-1092; classtype:web-application-attack; sid:2061766; rev:1; metadata:attack_target Server, created_at 2025_04_21, cve CVE_2017_1092, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect unauthenticated POST requests to /openadmin/services/welcome/welcomeService.php with a SOAPAction header of 'urn:QBEAction' and a body containing 'new_home_page>' followed by a double-quote and semicolon — this is the PHP code injection trigger.
  • Monitor for GET requests to /openadmin/conf/config.php with query parameters (e.g., ?cmd=) — this indicates the backdoor written to config.php is being triggered for RCE.
  • Look for modification of /openadmin/conf/config.php or creation of /openadmin/conf/BAKconfig.php — the exploit writes a PHP backdoor to config.php and backs up the original as BAKconfig.php.
  • Inspect POST bodies to welcomeService.php for the SOAP element 'new_home_page' containing PHP syntax characters such as "; or eval( — these indicate active exploitation of the saveHomePage injection point.
  • The Metasploit module targets /openadmin as the base URI (TARGETURI default). Correlate web logs for sequential POST to welcomeService.php followed by POST to conf/config.php from the same source IP.
  • ·The exploit is unauthenticated — no credentials are required to reach the vulnerable SOAP endpoint, so authentication-based controls alone are insufficient.
  • ·On Windows targets, the Apache service runs as NT AUTHORITY\SYSTEM, meaning successful exploitation grants full system privileges. On Linux targets the Metasploit module notes it is not privileged.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.