cbcvebase.
CVE-2018-1000049
published 2018-02-09

CVE-2018-1000049: Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if…

PriorityP183high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
77.30%
99.5th percentile
Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if the software is executed with read/write mode enabled.

Affected

1 ranges
VendorProductVersion rangeFixed in
nanopoolclaymore_dual_miner<= 7.3

Detection & IOCsextracted from sources · hover to see the quote

port3333
command{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}
command{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
filenamereboot.bat
filenamereboot.bash
bytes
706f7765727368656c6c2e657865
bytes
5c5c7837665c5c7834355c5c7834635c5c783436
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1;)
  • Detect exploit stage 1 (file write): Monitor TCP port 3333 for JSON-RPC requests containing 'miner_file' method with 'reboot.bat' (Windows) or 'reboot.bash'/'reboot.sh' (Linux) as the first parameter, followed by a hex-encoded payload string.
  • Detect exploit stage 2 (trigger): Monitor TCP port 3333 for JSON-RPC requests containing 'miner_reboot' method, which triggers execution of the previously written reboot script.
  • The Windows payload hex signature '706f7765727368656c6c2e657865' decodes to 'powershell.exe' — use this as a fast-pattern content match within miner_file traffic on port 3333.
  • Reconnaissance step uses 'miner_getfile' method to retrieve 'config.txt' to fingerprint the target OS before exploitation — alert on this API call as a precursor indicator.
  • ·The vulnerability is only exploitable when the miner is started with read/write mode enabled; read-only API mode is not affected.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.