cbcvebase.
CVE-2017-6326
published 2017-06-26

CVE-2017-6326: The Symantec Messaging Gateway can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to…

PriorityP182critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
72.76%
99.4th percentile
The Symantec Messaging Gateway can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process.

Affected

2 ranges
VendorProductVersion rangeFixed in
symantecmessaging_gateway<= 10.6.3
symantec_corporationmessaging_gateway

Detection & IOCsextracted from sources · hover to see the quote

url/brightmail/viewLogin.do
url/brightmail/login.do
url/brightmail/admin/backup/backupNow.do
url/brightmail/admin/backup/performBackupNow.do
commandperl${IFS}-e${IFS}'system(pack(qq,H<len>,,qq,<hex_payload>,))'
  • Monitor for POST requests to /brightmail/admin/backup/performBackupNow.do with a `remoteBackupPath` parameter containing command injection patterns such as `$(` or `${IFS}`.
  • Detect use of `${IFS}` as a space-bypass technique in HTTP POST body parameters targeting the SMG backup endpoint.
  • Alert on authenticated sessions that access /brightmail/admin/backup/backupNow.do followed immediately by a POST to performBackupNow.do — this is the CSRF-token-harvest-then-exploit sequence used by the module.
  • Look for the hidden form field `symantec.brightmail.key.TOKEN` being scraped via GET before a POST to the backup endpoint, indicating automated exploitation.
  • Detect outbound SCP/SSH connections initiated by the SMG web server process (running as root) to attacker-controlled hosts, which is required for the exploit to deliver the payload.
  • Flag the default Metasploit payload `python/meterpreter/reverse_tcp` spawned under the web server (root) context on the SMG appliance.
  • ·Exploitation requires valid credentials to the SMG admin interface — this is an authenticated RCE, not unauthenticated. Brute-force or credential-stuffing detections should be layered alongside exploit detection.
  • ·The exploit requires the attacker to operate a reachable SSH/SCP service; blocking outbound SSH from the SMG appliance to untrusted hosts mitigates payload delivery even if injection occurs.
  • ·Module was confirmed against SMG version 10.6.2-7 specifically; detection rules should be scoped to that version but may apply to adjacent versions.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.