cbcvebase.
CVE-2018-16060
published 2021-10-15

CVE-2018-16060: Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
19.61%
97.0th percentile
Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.

Detection & IOCsextracted from sources · hover to see the quote

url/web
path/web
filenameweb.tar
  • Detect unauthenticated GET requests to the /web endpoint on SmartRTU devices; a successful exploit returns HTTP 200 with Content-Type: application/x-tar and Content-Location: web.tar, disclosing the full web application source code archive.
  • Alert on HTTP responses containing 'Content-Location: web.tar' and 'Content-Type: application/x-tar' from SmartRTU/ME RTU devices, indicating successful source code disclosure.
  • The server banner 'Apache/2.4.7 (Ubuntu)' in responses from SmartRTU devices can help fingerprint vulnerable targets during triage.
  • ·The exploit requires no authentication; a simple direct HTTP GET to /web is sufficient to trigger the disclosure, meaning no special headers or credentials are needed beyond network access to the device.
  • ·The vulnerability affects Mitsubishi Electric Europe B.V. SmartRTU devices (also branded as INEA ME RTU); both vendor product lines share the same vulnerable codebase.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.