cbcvebase.
CVE-2017-9822
published 2017-07-20

CVE-2017-9822: DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

PriorityP196high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
94.79%
99.8th percentile
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

Affected

2 ranges
VendorProductVersion rangeFixed in
dnnsoftwaredotnetnuke< 9.1.19.1.1
dotnetnukedotnetnuke_cms_fixed_in_9.1.1

Detection & IOCsextracted from sources · hover to see the quote

other2588: CVE-2017-9822 DotNetNuke Remote Code Execution Exploit - HTTP (Request)
other1134304 WEB DotNetNuke Deserialization Vulnerability (CVE-2017-9822)
  • CVE-2017-9822 is exploited via a malicious cookie in HTTP requests sent to DNN (DotNetNuke) servers; monitor for anomalous or oversized cookie values in inbound HTTP traffic to DNN endpoints.
  • Exploit delivery uses multiple layers of obfuscated code in HTTP request bodies; inspect HTTP requests to DNN servers for encoded/obfuscated scripting payloads.
  • Post-exploitation activity includes outbound HTTP connections to eeme7j[.]win to download Monero miner payloads (mule.exe for Windows, mule for Linux); alert on any outbound connections to this domain.
  • Both Windows and Linux web servers are targeted; look for execution of PowerShell scripts (scv.ps1) or shell scripts (larva.sh) spawned from web server processes as indicators of compromise.
  • ·The exploit vector is specifically the DNN cookie deserialization mechanism; only DNN (DotNetNuke) installations prior to version 9.1.1 are vulnerable.
  • ·The malicious domain eeme7j[.]win and associated payload URLs were observed in a campaign active from mid-December 2017; infrastructure may have changed since then.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.