CVE-2017-6079
published 2017-05-16CVE-2017-6079: The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.85%
98.7th percentile
The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006.
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2017-6079 is exploited via a hidden web management page on Edgewater Networks Edgemarc appliances that allows arbitrary OS command execution (e.g., wget) with no client-side feedback; monitor HTTP requests to undocumented/hidden management pages on EdgeMarc devices for unexpected command parameters. ↗
- →The EwDoor botnet exploits CVE-2017-6079 exclusively against EdgeMarc Enterprise Session Border Controller devices on AT&T carrier networks; detection should focus on anomalous outbound connections and C2 beaconing from these specific device types. ↗
- ·The hidden command-execution page vulnerability has been present in EdgeMarc firmware as far back as 2006, meaning a very wide range of firmware versions across many device generations may be affected. ↗
- ·Early EwDoor botnet samples contacted a non-existent C2 server (later registered by researchers), so C2 infrastructure indicators from early samples may no longer be valid; cybercriminals subsequently severed communication with that server. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4w4r-mv2h-54x5: The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific
ghsa_unreviewed·2022-05-13
CVE-2017-6079 [CRITICAL] GHSA-4w4r-mv2h-54x5: The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific
The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006.
VulnCheck
Edgewater Networks Edgemarc HTTP web-management Command Execution
vulncheck·2017·CVSS 9.8
CVE-2017-6079 [CRITICAL] Edgewater Networks Edgemarc HTTP web-management Command Execution
Edgewater Networks Edgemarc HTTP web-management Command Execution
The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006.
Affected: ribboncommunications edgemarc_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/warning-e
No detection rules found.
No public exploits indexed.
Securelist
Kaspersky Q4 2021 DDoS attack report
blogs_securelist·2022-02-10·CVSS 9.8
[CRITICAL] Kaspersky Q4 2021 DDoS attack report
Table of Contents
- News roundup
- Quarter and year trends
- DDoS attack statistics
- Conclusion
Authors
- Alexander Gutnikov
- Oleg Kupreev
- Yaroslav Shmelev
## News roundup
Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking group. This is further evidence that the same botnets are often used for mining and DDoS.
The EwDoor botnet, which first came to researchers’ attention in late October, turned out
Securelist
DDoS attacks in Q4 2021
blogs_securelist·2022-02-10·CVSS 9.8
[CRITICAL] DDoS attacks in Q4 2021
Table of Contents
News roundup
Quarter and year trends
DDoS attack statistics
Methodology
Quarter summary
DDoS attacks geography
Dynamics of the number of DDoS attacks
Duration and types of DDoS attacks
Geographic distribution of botnets
Attacks on IoT honeypots
Conclusion
Authors
Alexander Gutnikov
Oleg Kupreev
Yaroslav Shmelev
## News roundup
Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking
Checkpoint
6th December – Threat Intelligence Report
blogs_checkpoint·2021-12-06
CVE-2021-39237 6th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has identified ongoing campaigns in Iran using socially engineered SMS messages to infect tens of thousands of citizens’ devices. The SMS, impersonating Iranian government services, lures victims into downloading malicious Android apps that steal credit card credentials, personal SMS messages and 2FA
Bugzilla
qt5-qtwebengine: 16 security vulnerabilities
bugzilla·2018-03-24·CVSS 6.1
CVE-2017-15429 [MEDIUM] qt5-qtwebengine: 16 security vulnerabilities
qt5-qtwebengine: 16 security vulnerabilities
Description of problem:
An update [https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97] is available fixing 16 security vulnerabilities in the qt5-qtwebengine currently in F28 Beta:
* CVE-2017-15429
* CVE-2018-6033 (claimed fixed in 5.10.1, but the fix was incomplete and had no effect; the update adds the missing part to make the fix effective)
* CVE-2018-6060
* CVE-2018-6062
* CVE-2018-6064
* CVE-2018-6069
* CVE-2018-6071
* CVE-2018-6073
* CVE-2018-6076
* CVE-2018-6079
* CVE-2018-6081
* CVE-2018-6082
* Chromium (security) Bug 770734
* Chromium (security) Bug 774833
* Chromium (security) Bug 798410
* Chromium (security) Bug 789764
I am therefore proposing this update:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97
as
2017-05-16
Published
Exploited in the wild