CVE-2018-5347
published 2018-01-12CVE-2018-5347: Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs…
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
54.16%
98.9th percentile
Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to .psp endpoints on the Seagate Personal Cloud device, specifically GET requests to uploadTelemetry.psp and getLogs.psp containing shell metacharacters (e.g., %3b / semicolons) in the TimeStamp, time_stamp, or arch_id parameters. ↗
- →Alert on GET parameters TimeStamp (uploadTelemetry.psp) and time_stamp/arch_id (getLogs.psp) containing shell metacharacters such as semicolons, pipes, or backticks, as these are passed unsanitized to commands.getoutput() / commands.getstatusoutput(). ↗
- →Both vulnerable views use the @csrf_exempt decorator, meaning exploitation can also be triggered via CSRF from a malicious web page — monitor for cross-origin requests to these .psp endpoints. ↗
- →Detect unexpected execution of sshd enablement commands (ngc --start sshd) or passwd changes originating from the lighttpd/FastCGI process, which would indicate successful exploitation. ↗
- →Any URL ending in .psp is routed via FastCGI to the Django Media Server; monitor the FastCGI socket /var/run/manage_py-fastcgi.socket for unexpected or high-frequency connections. ↗
- ·The FastCGI routing rule in lighttpd is configured to forward ALL .psp and .psp/ URLs to the Django Media Server without local file checks, meaning no filesystem-level gatekeeping exists for these endpoints. ↗
- ·Injected commands execute with root privileges, making exploitation immediately critical with no privilege escalation step required. ↗
- ·No authentication is required to reach the vulnerable uploadTelemetry and getLogs endpoints; exploitation is fully unauthenticated. ↗
- ·Seagate refused to provide a fix timeline or coordinate disclosure, so no official patch status was confirmed at time of advisory publication. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-01-12
Published