cbcvebase.
CVE-2017-18377
published 2019-06-11

CVE-2017-18377: An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.37%
92.8th percentile
An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable, as demonstrated by a set_ftp.cgi?svr=192.168.1.1&port=21&user=ftp URI.

Detection & IOCsextracted from sources · hover to see the quote

urlset_ftp.cgi?svr=192.168.1.1&port=21&user=ftp
path/upgrade_handle.php?cmd=writeuploaddir&uploaddir=
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:established,to_server; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; startswith; reference:url,blogs.securiteam.com/index.php/archives/3409; reference:cve,CVE-2017-18377; classtype:attempted-recon; sid:2024914; rev:4; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_07;)
  • Monitor HTTP requests to set_ftp.cgi containing shell metacharacters in the 'pwd' variable, which is the injection point for command execution on Wireless IP Camera (P2P) WIFICAM devices.
  • Detect inbound HTTP requests where the URI starts with /upgrade_handle.php?cmd=writeuploaddir&uploaddir= targeting IoT devices on the home network — this is the Netgear ReadyNAS Surveillance unauthenticated RCE vector.
  • The ET rule (sid:2024914) is classified as attempted-recon with Major severity and is recommended for Perimeter deployment against IoT targets.
  • ·The CVE description references Wireless IP Camera (P2P) WIFICAM devices, but the ET Snort rule (sid:2024914) is attributed to Netgear ReadyNAS Surveillance — both share this CVE identifier, so ensure detection scope covers both device families.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.