cbcvebase.
CVE-2017-14001
published 2017-09-26

CVE-2017-14001: An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection…

PriorityP261high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
6.45%
92.9th percentile
An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.

Affected

1 ranges
VendorProductVersion rangeFixed in
digiumasterisk_gui<= 2.1.0

Detection & IOCsextracted from sources · hover to see the quote

  • OS command injection is delivered via the URL request of the Digium Asterisk GUI program; monitor HTTP requests to Asterisk GUI endpoints for embedded OS command metacharacters (e.g., ;, |, &&, $()) in URL parameters.
  • Exploitation requires an authenticated (low-privilege) remote attacker; monitor for authenticated sessions followed by anomalous URL requests or unexpected process spawning from the Asterisk GUI service.
  • Affected product is Asterisk GUI version 2.1.0 and prior; identify and flag any internet-exposed instances of this software version for priority investigation.
  • ·No known public exploits specifically target this vulnerability at the time of advisory publication; threat may be lower but should not be dismissed given CVSS v3 score of 8.8.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.