CVE-2018-16060
published 2021-10-15CVE-2018-16060: Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
19.61%
97.0th percentile
Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the /web endpoint on SmartRTU devices; a successful exploit returns HTTP 200 with Content-Type: application/x-tar and Content-Location: web.tar, disclosing the full web application source code archive. ↗
- →Alert on HTTP responses containing 'Content-Location: web.tar' and 'Content-Type: application/x-tar' from SmartRTU/ME RTU devices, indicating successful source code disclosure. ↗
- →The server banner 'Apache/2.4.7 (Ubuntu)' in responses from SmartRTU devices can help fingerprint vulnerable targets during triage. ↗
- ·The exploit requires no authentication; a simple direct HTTP GET to /web is sufficient to trigger the disclosure, meaning no special headers or credentials are needed beyond network access to the device. ↗
- ·The vulnerability affects Mitsubishi Electric Europe B.V. SmartRTU devices (also branded as INEA ME RTU); both vendor product lines share the same vulnerable codebase. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164538/Mitsubishi-Electric-INEA-SmartRTU-Source-Code-Disclosure.htmlhttps://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHHhttp://packetstormsecurity.com/files/164538/Mitsubishi-Electric-INEA-SmartRTU-Source-Code-Disclosure.htmlhttps://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHH
2021-10-15
Published