cbcvebase.
CVE-2017-14127
published 2017-09-04

CVE-2017-14127: Command Injection in the Ping Module in the Web Interface on Technicolor TD5336 OI_Fw_v7 devices allows remote attackers to execute arbitrary OS commands as…

PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.69%
84.0th percentile
Command Injection in the Ping Module in the Web Interface on Technicolor TD5336 OI_Fw_v7 devices allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the pingAddr parameter to mnt_ping.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
technicolortd5336_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|
path/mnt_ping.cgi
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-18396/CVE-2017-14127 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_18396, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-18396/CVE-2017-14127 (Outbound)"; flow:established,to_server; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_18396, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
  • Exploit targets HTTP GET requests to /mnt_ping.cgi with URL-encoded shell metacharacter '|3b|' (semicolon) injected into the pingAddr parameter, enabling OS command injection as root.
  • The URI pattern /mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b| (where |3b| is URL-encoded semicolon) should be treated as a high-confidence exploit indicator; match at URI start (startswith).
  • This exploit is associated with the Mirai variant EchoBot, which weaponized this CVE alongside CVE-2019-18396 against IoT devices.
  • Monitor both inbound (ET sid:2029155) and outbound (ET sid:2029154) HTTP flows for the exploit URI pattern to detect both incoming attacks and potentially compromised internal hosts beaconing out.
  • ·The Snort/Suricata rules carry only 'confidence Medium' metadata, meaning false positives are possible; tune deployment to perimeter sensors as indicated.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.