cbcvebase.
CVE-2018-15137
published 2018-08-08

CVE-2018-15137: CeLa Link CLR-M20 devices allow unauthorized users to upload any file (e.g., asp, aspx, cfm, html, jhtml, jsp, or shtml), which causes remote code execution as…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.20%
96.8th percentile
CeLa Link CLR-M20 devices allow unauthorized users to upload any file (e.g., asp, aspx, cfm, html, jhtml, jsp, or shtml), which causes remote code execution as well. Because of the WebDAV feature, it is possible to upload arbitrary files by utilizing the PUT method.

Affected

1 ranges
VendorProductVersion rangeFixed in
cela_linkclr-m20_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /test.html HTTP/1.1
versionlighttpd/1.4.20
  • Use Shodan dork 'CLR-M20' to identify internet-exposed vulnerable devices.
  • A successful exploit returns HTTP 201 Created with Content-Length: 0; alert on this response code following a PUT request to a CLR-M20 device.
  • ·No authentication is required to exploit this vulnerability; the device accepts unauthenticated WebDAV PUT requests.
  • ·The vulnerability is confirmed on firmware version 2.7.1.6 of the CeLa Link CLR-M20 device.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.