cbcvebase.
CVE-2018-16059
published 2018-09-07

CVE-2018-16059: Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.

PriorityP278medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.82%
98.0th percentile
Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
endresswirelesshart_fieldgate_swg70_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/fcgi-bin/wgsetcgi
path/fcgi-bin/wgsetcgi
commandaction=ajax&command=4&filename=../../../../../../../../../../etc/passwd&origin=cw.Communication.File.Read&transaction=fileCommand
path../../../../../../../../../../etc/passwd
  • Detect POST requests to /fcgi-bin/wgsetcgi containing directory traversal sequences in the 'filename' parameter, specifically targeting /etc/passwd.
  • Look for the specific POST body parameters: action=ajax, command=4, origin=cw.Communication.File.Read, and transaction=fileCommand combined with path traversal in the filename field.
  • A successful exploitation response will contain /etc/passwd content; match on 'root:.*:0:0:' in the HTTP response body with a 200 status code.
  • The exploit uses Content-Type: application/x-www-form-urlencoded in POST requests to the vulnerable CGI endpoint; monitor for this combination on ICS/OT network segments.
  • ·The vulnerability is unauthenticated (PR:N) and remotely exploitable with low attack complexity, meaning no credentials are required to trigger the path traversal.
  • ·Both Endress+Hauser SWG70 3.x and all PEPPERL+FUCHS WHA-GW-* products are affected, broadening the detection scope beyond a single vendor.
  • ·Public exploit code is available (Exploit-DB 45342), meaning automated/scripted exploitation is trivial and should be expected in the wild.

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.