CVE-2018-11220
published 2018-05-31CVE-2018-11220: Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution via the system restore function.
PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.41%
96.6th percentile
Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution via the system restore function.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP multipart file upload requests to the system restore/upgrade endpoint containing a TAR archive with a file named 'restoreConfig.sh' — this is the malicious payload delivery mechanism for CVE-2018-11220. ↗
- →Alert on the presence of a named pipe at /tmp/f combined with an outbound netcat (nc) connection, which is the reverse shell pattern used in the exploit payload. ↗
- →Exploitation requires valid credentials; default credentials root/root on Bitmain Antminer devices should be treated as an active risk indicator — successful login followed by a restore/upgrade action is a high-fidelity attack sequence. ↗
- →Inspect uploaded TAR archives to the Antminer administration portal for the presence of shell scripts, particularly 'restoreConfig.sh', which is executed during the system restore process. ↗
- ·Exploitation requires valid credentials to the Antminer administration portal, meaning the attacker must already have (or have guessed/brute-forced) login access before the RCE is reachable. ↗
- ·The vulnerability affects multiple Antminer device families (D3, L3+, S9, and potentially others), so detection and patching scope should not be limited to a single model. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-05-31
Published