cbcvebase.
CVE-2017-12930
published 2017-09-21

CVE-2017-12930: SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.10%
86.1th percentile
SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as administrator via a crafted password.

Detection & IOCsextracted from sources · hover to see the quote

commandx' or 'x'='x
path/resource.php
path/resource/source/shell.php
  • Detect SQL injection authentication bypass attempts targeting the admin login — look for the classic tautology payload in the password field.
  • Use Google dork 'DlxSpot - Player4' to identify exposed instances of the vulnerable admin interface on the internet.
  • Alert on SSH login attempts using the hardcoded credentials (username: dlxuser, password: tecn0visi0n) against DLX Spot devices, as these are valid for all known versions.
  • ·The SQL injection affects only versions above 1.5.10 of DLX Spot Player4; the hardcoded SSH backdoor (CVE-2017-12928) affects ALL known versions.
  • ·The hardcoded root SSH password 'tecn0visi0n' applies to all known DLX Spot Player versions, not just those above 1.5.10.
  • ·The same password 'tecn0visi0n' used for the dlxuser SSH account can also be used to escalate to root on the device.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.