cbcvebase.
CVE-2017-17406
published 2018-01-23

CVE-2017-17406: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.58%
90.4th percentile
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within an exposed RMI registry, which listens on TCP ports 1800 and 1850 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Was ZDI-CAN-4753.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgain-systemsenterprise_manager< 7.2.7667.2.766
netgain_systemsnetgain_systems_enterprise_manager

Detection & IOCsextracted from sources · hover to see the quote

port1800
port1850
  • Detect unauthenticated connections to TCP ports 1800 and 1850 on NetGain Enterprise Manager hosts, which expose the vulnerable Java RMI Registry targeted by deserialization attacks.
  • Monitor for Java deserialization payloads (e.g., ysoserial gadget chains leveraging Apache Commons Collections or bsh) sent to RMI registry ports 1800/1850 on NetGain EM hosts.
  • ·The RMI registry ports 1800 and 1850 are exposed by default and require no authentication, meaning no credentials are needed to trigger the deserialization vulnerability.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.