CVE-2018-7297
published 2018-02-22CVE-2018-7297: Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and…
PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.27%
99.2th percentile
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eq-3 | homematic_central_control_unit_ccu2_firmware | <= 2.29.22 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
XOR key 0x87, cumulative byte-wise XOR string encryption
- →Exploit targets the /Test.exe endpoint on Homematic CCU2 via HTTP POST, injecting TCL commands through the system.Exec() function in the request body. Monitor for POST requests to this path. ↗
- →Exploit payload uses TCL interpreter's system.Exec() call embedded in the POST body with the pattern 'string stdout;string stderr;system.Exec(...)'. Detect this string pattern in HTTP POST body traffic to CCU2 devices. ↗
- →CVE-2018-7297 is exploitable by unauthenticated attackers via the web interface. Absence of authentication headers in POST requests to /Test.exe should be treated as suspicious. ↗
- →Hide 'N Seek botnet samples exploiting CVE-2018-7297 use a cumulative byte-wise XOR with key 0x87 for string decryption. Use this decryption scheme when reverse-engineering captured samples. ↗
- →Hide 'N Seek botnet variant exploiting CVE-2018-7297 can be tracked in AutoFocus using the tag HideNSeek. ↗
- ·The exploit targets Homematic CCU2 versions 2.29.2 and earlier (PoC specifically references 2.29.23). Devices running versions above this threshold are not affected by this specific CVE. ↗
- ·Hard-coded P2P peer IPs and ports used by the Hide 'N Seek variant differ between samples and versions; refer to the Palo Alto Networks GitHub page for the full current list rather than relying on a static set. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q64h-3pq3-w59f: Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2
ghsa_unreviewed·2022-05-13
CVE-2018-7297 [CRITICAL] GHSA-q64h-3pq3-w59f: Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
VulnCheck
TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier Remote Code Execution
vulncheck·2018·CVSS 9.8
CVE-2018-7297 [CRITICAL] TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier Remote Code Execution
TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier Remote Code Execution
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
Affected: eq-3 homematic_central_control_unit_ccu2_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/; https://www.researchgate.net/publication/3486
No detection rules found.
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Unit42
Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
blogs_unit42·2019-06-12·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Threat Research Center
Threat Research
Vulnerabilities
## Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Ruchna Nigam
Published: June 12, 2019
Threat Research
Vulnerabilities
CVE-2018-20062
CVE-2019-7238
Exploits
HideNSeek
IoT
Linux
ThinkPHP
Executive Summary
The Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits - CVE-2018-20062 which targets Thin
Unit42
Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
blogs_unit42·2019-06-12·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Executive Summary
The Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits - CVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.
While the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being ex
2018-02-22
Published
Exploited in the wild