CVE-2017-16610
published 2018-01-23CVE-2017-16610: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.94%
91.1th percentile
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within upload_save_do.jsp. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of the current user. Was ZDI-CAN-4751.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgain-systems | enterprise_manager | < 7.2.766 | 7.2.766 |
| netgain_systems | netgain_systems_enterprise_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to /u/jsp/backup/upload_save_do.jsp, which is the vulnerable file upload endpoint requiring no authentication. ↗
- →Detect multipart file upload requests to upload_save_do.jsp where the filename field contains path traversal sequences (e.g., '../') to write files outside the intended backup directory into the web root. ↗
- →Alert on the presence of JSP web shells (e.g., shell.jsp) appearing in the /u/js/ directory of the NetGain EM web root following a POST to upload_save_do.jsp. ↗
- ·The vulnerability is unauthenticated — no session token or credentials are required to exploit upload_save_do.jsp, so authentication-based controls alone are insufficient. ↗
- ·NetGain EM runs with write access to the web root, meaning a successfully uploaded JSP file is immediately executable via the web server without any additional privilege escalation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2018-01-23
Published