cbcvebase.
CVE-2017-5173
published 2017-05-19

CVE-2017-5173: An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.58%
98.0th percentile
An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are not properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
geutebrueckip_camera_g-cam_efd-2250_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/uapi-cgi/viewer/testaction.cgi
commandtype=ip&ip=eth0 1.1.1.1;<command>
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
ip|3a 20|eth0|20|1.1.1.1|3b|
  • Exploit is delivered via HTTP POST to the /uapi-cgi/viewer/testaction.cgi endpoint; the injection occurs in the 'ip' POST parameter using semicolon to chain OS commands (e.g., 'eth0 1.1.1.1;<payload>').
  • No authentication is required to exploit this vulnerability; the endpoint is accessible anonymously and executes commands with root privileges.
  • This exploit has been observed in the wild as part of Mirai botnet variants targeting IoT devices; monitor for POST requests to /testaction.cgi with the header pattern 'ip: eth0 1.1.1.1;'.
  • Payload compatibility requires 'generic netcat bash' command types on a Unix/ARCH_CMD platform, indicating shell-based reverse/bind shell payloads are the expected attack vector.
  • ·The Snort/ET rules carry 'confidence Low' metadata, meaning they may produce false positives or miss variants that alter the injected IP address or interface name from the hardcoded 'eth0 1.1.1.1' pattern.
  • ·The affected firmware version is specifically G-Cam/EFD-2250 Version 1.11.0.12; detections should be scoped to devices running this firmware version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.