cbcvebase.
CVE-2017-16921
published 2017-12-08

CVE-2017-16921: In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS…

PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.90%
97.1th percentile
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.

Affected

57 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianotrs2< otrs2 6.0.2-1 (bullseye)otrs2 6.0.2-1 (bullseye)
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs
otrsotrs

Detection & IOCsextracted from sources · hover to see the quote

  • Alert on GET requests to /index.pl?Action=AdminPGP immediately following a SysConfig PGP update — this is the trigger step that executes the injected shell command.
  • Detect PGP::Bin being set to any value other than a known gpg binary path (e.g., /usr/bin/gpg), particularly interpreters like /usr/bin/python, /bin/bash, etc.
  • Detect PGP::Options containing shell metacharacters or Python/subprocess reverse shell patterns (e.g., 'import socket', 'subprocess.call', '/bin/sh -i').
  • Look for the ChallengeToken scraping pattern: a GET to the AdminSysConfig PGP edit page followed immediately by a POST to the same endpoint — indicative of automated exploit tooling.
  • Monitor for OTRS web server process (e.g., apache user) spawning unexpected child processes such as python or /bin/sh with -i flag, which indicates successful RCE.
  • ·The exploit requires the attacker to already be authenticated as an OTRS agent — unauthenticated exploitation is not possible. Detection should focus on authenticated agent sessions performing admin-level SysConfig changes.
  • ·The exploit can be repeated unlimited times by re-triggering /index.pl?Action=AdminPGP after the malicious PGP::Bin/PGP::Options config is saved — a single config change enables persistent re-exploitation.
  • ·Manual cleanup of the PGP SysConfig options is required after exploitation; the malicious settings persist in the admin panel until manually reverted.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.