cbcvebase.
CVE-2017-15889
published 2017-12-04

CVE-2017-15889: Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary…

PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
72.45%
99.4th percentile
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

Affected

2 ranges
VendorProductVersion rangeFixed in
synologydiskstation_manager< 5.2-5967-55.2-5967-5
synologydiskstation_manager

Detection & IOCsextracted from sources · hover to see the quote

pathwebman/modules/StorageManager/smart.cgi
port5000
command/dev/sd`<cmd>`
  • Monitor POST requests to webman/modules/StorageManager/smart.cgi with a 'disk' parameter containing backtick-enclosed command injection patterns (e.g., /dev/sd`...`).
  • Look for POST requests to smart.cgi with action=apply&operation=quick and a disk field value that does not match a standard /dev/sdX device name.
  • Detect the X-SYNO-TOKEN header in POST requests to smart.cgi, which indicates authenticated exploitation attempts against this endpoint.
  • Alert on creation of or access to the file /a on Synology DSM hosts, used as a wget input staging file during exploitation.
  • Alert on login.cgi requests with enable_syno_token=yes query parameter followed shortly by POST requests to smart.cgi — this sequence is characteristic of the exploit chain.
  • Flag DSM versions earlier than 5.2-5967-5 (including 3.0, 4.x, 5.0, 5.1, and 5.2 builds below 5967-5) as vulnerable during asset inventory.
  • ·The disk parameter in smart.cgi is limited to 30 characters, so the exploit stages commands via echo into /a and then uses wget to fetch and execute a payload — detection rules must account for multi-step injection rather than a single large payload.
  • ·Exploitation requires prior authentication (remote authenticated users); unauthenticated access to smart.cgi alone is not sufficient to trigger the vulnerability.
  • ·The Metasploit module uses a WfsDelay of 10 seconds to allow payload download and execution; network-based detections should account for this delayed callback pattern.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.