CVE-2017-8220
published 2017-04-25CVE-2017-8220: TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell…
PriorityP273critical9.9CVSS 3.0
AVNACLPRLUINSCCHIHAH
EPSS
36.34%
98.3th percentile
TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP POST data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | c20i_firmware | <= 0.9.1_4.2_v0032.0_build_160706 | — |
| tp-link | c2_firmware | <= 0.9.1_4.2_v0032.0_build_160706 | — |
CVSS provenance
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Trendmicro
8220 Gang Evolves With New Strategies
blogs_trendmicro·2023-05-16·CVSS 7.4
CVE-2017-3506 [HIGH] 8220 Gang Evolves With New Strategies
Exploits & Vulnerabilities
# 8220 Gang Evolves With New Strategies
We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability.
By: Sunil Bharti
2023/05/16
Read time: ( words)
Save to Folio
Update as of 7/25/2023 3:40PM PHT: Updated the indicators of compromise.
8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities,
Threat Intel
Water Sigbin
threat_intel·CVSS 7.4
CVE-2017-3506 [HIGH] Water Sigbin
# Threat Actor: Water Sigbin
## Description
The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG crypto miner. They are known for using obfuscation techniques, such as hexadecimal encoding and code obfuscation, to evade detection and compromise systems.
2017-04-25
Published