CVE-2018-10577
published 2018-05-02CVE-2018-10577: An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. File…
PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.59%
93.0th percentile
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. File upload functionality allows any users authenticated on the web interface to upload files containing code to the web root, allowing these files to be executed as root.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | ap100_firmware | < 1.2.9.15 | 1.2.9.15 |
| watchguard | ap102_firmware | < 1.2.9.15 | 1.2.9.15 |
| watchguard | ap200_firmware | < 1.2.9.15 | 1.2.9.15 |
| watchguard | ap300_firmware | < 2.0.0.10 | 2.0.0.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to /cgi-bin/luci/;{stok}/wgupload — this is the file upload endpoint abused to write webshells to the web root. ↗
- →Detect HTTP requests containing cookie fields 'filename=' pointing to paths under /www/cgi-bin/ or /tmp/, combined with 'md5sum=fail' — a hallmark of this exploit's upload mechanism. ↗
- →Alert on GET requests to /cgi-bin/payload.luci — this is the attacker triggering the uploaded Lua webshell for remote code execution. ↗
- →Monitor for AUTH_USER and AUTH_PASS HTTP headers sent to /cgi-bin/luci/ — the exploit passes credentials via custom headers rather than standard HTTP Basic Auth, which is anomalous. ↗
- →Flag use of default credentials admin/1234 against the WatchGuard AP web interface on port 443 — these are the hardcoded backdoor credentials used by the exploit. ↗
- →Detect the sysauth session cookie being set following authentication to /cgi-bin/luci/ — subsequent requests reusing this cookie to /wgupload indicate active exploitation. ↗
- →Watch for files named payload.luci appearing in /www/cgi-bin/ on WatchGuard AP devices — this is the dropped Lua webshell used for code execution as root. ↗
- →The exploit targets MIPS big-endian (MIPSBE) architecture; uploaded binary payloads to /tmp/payload on WatchGuard APs should be inspected for MIPSBE ELF binaries. ↗
- ·The exploit also leverages CVE-2018-10575 (backdoor account) and CVE-2018-10576 to obtain an authenticated session before exploiting CVE-2018-10577 for file upload. Detection of CVE-2018-10577 alone may miss the full attack chain. ↗
- ·The module notes it 'can also be used if you have legitimate access credentials to the device', meaning exploitation is possible without the backdoor account — authenticated users with any valid credentials can exploit CVE-2018-10577. ↗
- ·Affected firmware versions are AP100/AP102/AP200 before 1.2.9.15 and AP300 before 2.0.0.10; devices patched to these versions are not vulnerable to the file upload primitive. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-05-02
Published