cbcvebase.
CVE-2017-9024
published 2017-05-21

CVE-2017-9024: Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a Directory Traversal issue in its TFTP Server…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
12.20%
95.7th percentile
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.

Affected

1 ranges
VendorProductVersion rangeFixed in
secure-bytessecure_cisco_auditor

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP (TFTP)
path../../../../Windows/system.ini
commandTFTP Read Request with directory traversal: \x00\x01 + '../../../../Windows/system.ini'\x00 + 'netascii'\x00
bytes
\x00\x01 (TFTP Read Request opcode)
  • Detect TFTP Read Request (opcode 0x0001) packets on UDP/69 containing '../' or '..\' sequences in the filename field, indicative of directory traversal attempts against Secure Auditor's TFTP server.
  • Monitor UDP/69 traffic for TFTP RRQ packets where the filename field contains the pattern '../../../../Windows/system.ini' as used in the public PoC exploit.
  • Alert on TFTP RRQ packets using 'netascii' transfer mode combined with path traversal sequences, matching the exact PoC payload structure: \x00\x01 + traversal path + \x00 + 'netascii' + \x00.
  • ·The TFTP server embedded in Secure Bytes Cisco Configuration Manager (bundled with Secure Cisco Auditor 3.0) does not sanitize pathname inputs, making it exploitable remotely without authentication over UDP/69.
  • ·The vulnerability is remotely exploitable with no authentication required; any host able to reach UDP port 69 on the target can read arbitrary files from the filesystem.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.