CVE-2017-17562
published 2017-12-12CVE-2017-17562: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the…
PriorityP191high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
96.33%
99.9th percentile
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| embedthis | goahead | < 3.6.5 | 3.6.5 |
| oracle | integrated_lights_out_manager | — | — |
| oracle | integrated_lights_out_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP requests to GoAhead servers where the query string contains environment variable injection patterns such as 'LD_PRELOAD', 'LD_DEBUG', or 'LIBMYSQL_PLUGINS' referencing /proc/self/fd paths. ↗
- →The Metasploit module brute-forces a large list of known GoAhead CGI endpoint names; monitor for rapid sequential GET/POST requests across these paths from a single source IP. ↗
- ·Vulnerability only exploitable when CGI is enabled AND the CGI program is dynamically linked; statically linked CGI programs are not affected. ↗
- ·Exploitation requires the glibc dynamic linker to be present; the attack abuses glibc's LD_PRELOAD mechanism to load an attacker-supplied shared object. ↗
- ·The Metasploit module POST size is limited to 16384 bytes maximum; PowerPC architecture payloads exceed this limit and are not supported. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
General Electric Renewable Energy MDS Radios
cisa_ics·2022-05-27·CVSS 8.1
[HIGH] General Electric Renewable Energy MDS Radios
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
General Electric Renewable Energy MDS Radios
Last RevisedMay 27, 2022
Alert CodeICSA-22-090-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: General Electric Renewable Energy
- Equipment: MDS iNET/iNET II/SD/TD220/TD220MAX Radios
- Vulnerabilities: Improper Input Validation, Hidden Functionality, Inadequate Encryption Strength, Uncontrolled Resource Consumption, Plaintext Storage of a Password, Download of Code Without Integrity Check
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allo
CISA
Embedthis GoAhead Remote Code Execution Vulnerability
cisa·2021-12-10·CVSS 8.1
CVE-2017-17562 [HIGH] CWE-20 Embedthis GoAhead Remote Code Execution Vulnerability
Vulnerability: Embedthis GoAhead Remote Code Execution Vulnerability
Affected: Embedthis GoAhead
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-17562
Remediation Due Date: 2022-06-10
GHSA
GHSA-q5wm-274q-f3v6: Embedthis GoAhead before 3
ghsa_unreviewed·2022-05-14
CVE-2017-17562 [HIGH] CWE-20 GHSA-q5wm-274q-f3v6: Embedthis GoAhead before 3
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
VulnCheck
Embedthis GoAhead Remote Code Execution Vulnerability
vulncheck·2017·CVSS 8.1
CVE-2017-17562 [HIGH] CWE-20 Embedthis GoAhead Remote Code Execution Vulnerability
Embedthis GoAhead Remote Code Execution Vulnerability
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
Affected: Embedthis GoAhead
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.securin.io/wp-content/uploads/2023/08/2023-State-of-Cybersecurity-for-Medical-Devices-and-Healthcare-Systems.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-12&host_type=src&vulnerability=cve-2017-17562; https://www.security.com/threat-intelligence/china
No detection rules found.
Exploit-DB
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)
exploitdb·2018-01-24
CVE-2017-17562 GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)
GoAhead Web Server 2.5 'GoAhead Web Server LD_PRELOAD Arbitrary Module Load',
'Description' => %q{
This module triggers an arbitrary shared library load vulnerability
in GoAhead web server versions between 2.5 and that have the CGI module
enabled.
},
'Author' =>
[
'Daniel Hodson ', # Elttam Vulnerability Discovery & Python Exploit
'h00die', # Metasploit Module
'hdm', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-17562' ],
[ 'URL', 'https://www.elttam.com.au/blog/goahead/' ]
],
'Payload' =>
{
'Space' => 5000,
'DisableNops' => true
},
'Platform' => 'linux',
'Targets' =>
[
[ 'Automatic (Reverse Shell)',
{ 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'ReverseStub' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd_reverse_stub',
'ConnectionType' =
Exploit-DB
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution
exploitdb·2017-12-18·CVSS 8.1
CVE-2017-17562 [HIGH] GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution
GoAhead Web Server 2.5 >> ./makemyday.py -h
# usage: makemyday.py [-h] [--server SERVER] [--port PORT] [--maxconn {1-256}]
# [--verbose]
# {fingerprint,stage,exploit,findcgi} ...
#
# GoAhead httpd remote LD_PRELOAD exploit.
#
# positional arguments:
# {fingerprint,stage,exploit,findcgi}
# fingerprint fingerprint if GoAhead server uses CGI
# stage send a staging payload and wait indefinitely
# exploit run exploit
# findcgi brute force cgi script names
#
# optional arguments:
# -h, --help show this help message and exit
# --server SERVER target ip or hostname, default is localhost
# --port PORT target port, default is 80
# --maxconn {1-256} max concurrent requests, default is 1
# --verbose, -v increase verbosity level
#
# See https://www.elttam.com.au for more information.
# >>>./makemyday.
Metasploit
GoAhead Web Server LD_PRELOAD Arbitrary Module Load
metasploit
GoAhead Web Server LD_PRELOAD Arbitrary Module Load
GoAhead Web Server LD_PRELOAD Arbitrary Module Load
This module triggers an arbitrary shared library load vulnerability in GoAhead web server versions between 2.5 and that have the CGI module enabled.
Nuclei
Embedthis GoAhead <3.6.5 - Remote Code Execution
nuclei·CVSS 8.1
CVE-2017-17562 [HIGH] Embedthis GoAhead <3.6.5 - Remote Code Execution
Embedthis GoAhead <3.6.5 - Remote Code Execution
description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
Template:
id: CVE-2017-17562
info:
name: Embedthis GoAhead <3.6.5 - Remote Code Execution
author: geeknik
severity: high
description: |
description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
remediation: |
Upgrade to Embedthis GoAhead version 3.6.5 or later to mitigate this vulnerability.
reference:
- https://www.elttam.com/blog/goahead/
- https://github.com/ivanitlearning/CVE-2017-17562
- https://github.com/vul
arXiv
The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants
arxiv_fulltext·2023-09-03
The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants
BMS
BMS
acronym
DDoSDistributed Denial of Service
BMSBotnet Monitoring System
acronym
The End of the Canonical IoT Botnet:
A Measurement Study of Mirai's Descendants
Leon Böck
Telecooperation Lab
Technical University of Darmstadt
Valentin Sundermann
Telecooperation Lab
Technical University of Darmstadt
Isabella Fusari
George Mason University
Shankar Karuppayah
National Advanced IPv6 Centre
Universiti Sains Malaysia
Max Mühlhäuser
Telecooperation Lab
Technical University of Darmstadt
Dave Levin
University of Maryland
## Abstract
Since the burgeoning days of IoT, Mirai has been established as the
canonical IoT botnet.
Not long after the public release of its code, researchers found many
Mirai variants compete with one another for many of the same
vulnerable hosts.
Over ti
CTF
20191012-hitconctfquals / README
ctf_writeups·2019
20191012-hitconctfquals / README
# HITCON CTF 2019 Quals
**It's recommended to read our responsive [web version](https://balsn.tw/ctf_writeup/20191012-hitconctfquals/) of this writeup.**
- [HITCON CTF 2019 Quals](#hitcon-ctf-2019-quals)
- [Web](#web)
- [Virtual Public Network](#virtual-public-network)
- [Bounty Pl33z](#bounty-pl33z)
- [GoGo PowerSQL](#gogo-powersql)
- [Failed Attempts](#failed-attempts)
- [Luatic](#luatic)
- [Overwrite varibles](#overwrite-varibles)
- [Redis and Lua](#redis-and-lua)
- [Buggy .NET](#buggy-net)
- [Pwn](#pwn)
- [PoE - I](#poe---i)
- [EmojiiiVM](#emojiiivm)
- [Netatalk](#netatalk)
- [🎃 Trick or Treat 🎃](#-trick-or-treat-)
- [LazyHouse](#lazyhouse)
- [One Punch Man](#one-punch-man)
- [Crypto in the Shell](#crypto-in-the-shell)
- [Misc](#misc)
- [Revenge of Welcome](#revenge-of-welcome)
- [E
Dragos
OT Security Advisories
blogs_dragos·2025-09-17·CVSS 7.5
CVE-2024-432057 [HIGH] OT Security Advisories
## OT Security Advisories
## These advisories cover OT/ICS vulnerabilities discovered and disclosed by Dragos as an authorized CVE Numbering Authority (CNA).
Threat Level
Name
CVE ID
Vulnerability Type
Affects
Limited Threat
Maples Systems/Weintek HMI Panel and EBPro Software Vulnerabilities
CVE-2024-432057
CVE-2024-7710
Incorrect Permission Assignment for Critical Resource
Integrity check fails to identify out-of-band logic changes
Maple Systems and Weintek Brand HMI panels: iP Series: All versions, all models
iE Series: All versions, all models
eMT Series: All versions, all models
XE Series: All versions, all models
mTV Series: All versions, all models
Maple Systems and Weintek Brand HMI panels: iP Series: All versions, all models
iE Series: All versions, all models
eMT Ser
Huntress
Tomcat 9 Vulnerability: Analysis, Detection, Removal | Huntress
blogs_huntress·CVSS 8.1
[HIGH] Tomcat 9 Vulnerability: Analysis, Detection, Removal | Huntress
## Tomcat 9 Vulnerability
Published: 12/05/2025
Written by: Lizzie Danielson
## What is Tomcat 9 Vulnerability?
The Tomcat 9 vulnerability refers to a series of security flaws impacting the Apache Tomcat 9 software, primarily affecting its ability to properly manage configurations, remote code execution (RCE), and unauthorized access scenarios. It has been classified as a high-risk vulnerability in cases where improper input validation compromises server environments. These vulnerabilities can enable attackers to exploit unpatched systems, often through malicious input or authentication loopholes. Notable CVEs associated with this include CVE-2019-0232 and CVE-2021-33037.
## When was it discovered?
The vulnerabilities in Tomcat 9 were disclosed at various times, depending on the spec
Huntress
GoAhead Vulnerability CVE-2017-17562: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 8.1
CVE-2017-17562 [HIGH] GoAhead Vulnerability CVE-2017-17562: Analysis, Impact, Mitigation | Huntress
## GoAhead Vulnerability
Published: 10/07/2025
Written by: Monica Burgess
The GoAhead vulnerability, specifically CVE-2017-17562, is a critical flaw in the GoAhead web server, a lightweight server commonly embedded in IoT devices. This remote code execution (RCE) vulnerability allows attackers to run arbitrary code on affected devices by exploiting how the server handles CGI scripts, posing a significant threat to countless internet-connected products.
## When was it Discovered?
The GoAhead vulnerability was publicly disclosed in December 2017. Security researchers from Elttam, a security firm, were credited with its discovery. The disclosure highlighted the immediate risk to millions of IoT devices that used the vulnerable versions of the GoAhead web server. The vendor, Embedthis, wa
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.securitytracker.com/id/1040702https://github.com/elttam/advisories/tree/master/CVE-2017-17562https://github.com/embedthis/goahead/commit/6f786c123196eb622625a920d54048629a7caa74https://github.com/embedthis/goahead/issues/249https://www.elttam.com.au/blog/goahead/https://www.exploit-db.com/exploits/43360/https://www.exploit-db.com/exploits/43877/http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.securitytracker.com/id/1040702https://github.com/elttam/advisories/tree/master/CVE-2017-17562https://github.com/embedthis/goahead/commit/6f786c123196eb622625a920d54048629a7caa74https://github.com/embedthis/goahead/issues/249https://www.elttam.com.au/blog/goahead/https://www.exploit-db.com/exploits/43360/https://www.exploit-db.com/exploits/43877/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-17562
2017-12-12
Published
2021-12-10
Added to CISA KEV
Exploited in the wild