cbcvebase.
CVE-2017-8835
published 2017-06-05

CVE-2017-8835: SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
61.58%
99.1th percentile
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.

Affected

6 ranges
VendorProductVersion rangeFixed in
peplink1350hw2_firmware
peplink2500_firmware
peplink380hw6_firmware
peplink580hw2_firmware
peplink710hw3_firmware
peplinkb305hw2_firmware

Detection & IOCsextracted from sources · hover to see the quote

cookiebauth
pathcgi-bin/MANGA/admin.cgi
  • Monitor HTTP requests to cgi-bin/MANGA/admin.cgi containing anomalous or SQL-crafted values in the bauth cookie, which is the attack vector for this unauthenticated SQLi.
  • Exploitation goal is session cookie theft from the sessions database; alert on unexpected or bulk session ID retrievals from Peplink Balance admin interfaces.
  • Attackers (and the Metasploit module) specifically target the most recently created sessions; look for rapid or repeated unauthenticated requests to the admin CGI endpoint with varying bauth cookie payloads.
  • Peplink Balance devices running firmware up to 7.0.0-build1904 are vulnerable; identify and prioritize patching or monitoring of these specific firmware versions.
  • ·Session lifetime is configurable by the admin (default 4 hours); the effective exploitation window depends on this setting, meaning attacker urgency to use stolen session cookies will vary per deployment.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.