cbcvebase.
CVE-2017-7722
published 2017-04-12

CVE-2017-7722: In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the…

PriorityP272critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
12.73%
95.8th percentile
In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker can escape from the restricted shell.

Affected

1 ranges
VendorProductVersion rangeFixed in
solarwindslog_event_manager

Detection & IOCsextracted from sources · hover to see the quote

otherusername: cmc, password: password
  • Detect SSH authentication attempts to SolarWinds LEM using the default credentials: username 'cmc' and password 'password'. Successful logins with these credentials should be treated as a high-confidence indicator of exploitation.
  • Monitor for restricted shell escape activity on SolarWinds LEM SSH sessions, specifically abuse of the 'restrictssh' feature within the menuing script.
  • Flag SolarWinds LEM instances running version 6.3.1 or earlier (before 6.3.1 Hotfix 4) with SSH exposed, as they are vulnerable to this restricted shell escape leading to remote code execution.
  • ·The default credentials ('cmc'/'password') are hardcoded in the product and are the prerequisite for exploitation. Changing or disabling these credentials mitigates the attack vector.
  • ·The vulnerability is patched in SolarWinds LEM 6.3.1 Hotfix 4 and later. Unpatched instances with SSH exposed to untrusted networks are at critical risk.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.