cbcvebase.
CVE-2019-10267
published 2019-07-26

CVE-2019-10267: An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the…

PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
75.77%
99.5th percentile
An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).

Affected

1 ranges
VendorProductVersion rangeFixed in
ahsaycloud_backup_suite>= 7.7.0.0 < 8.1.1.508.1.1.50

Detection & IOCsextracted from sources · hover to see the quote

url/obs/obm7/file/upload
url/obs/obm7/file/download
url/obs/obm7/file/delete
url/obs/obm7/user/getUserProfile
url/obs/obm7/user/isTrialEnabled
url/obs/obm7/user/addTrialUser
url/cbs/system/ShowDownload.do
url/cbs/system/download/indexTab1.jsp
path../../webapps/cbs/help/en/
filenameSystemSettings_License_Redirector_AHSAY.jsp
path../../conf/users.xml
  • Detect exploit by monitoring HTTP PUT requests to /obs/obm7/file/upload with the custom headers X-RSW-Request-0, X-RSW-Request-1, and X-RSW-custom-encode-path present simultaneously — these are the authentication and path-encoding headers used by the exploit.
  • Alert on HTTP PUT requests to /obs/obm7/file/upload where the uploaded body contains .jsp content, indicating a JSP webshell upload attempt.
  • Monitor for POST requests to /obs/obm7/user/isTrialEnabled returning 'ENABLED' followed immediately by POST to /obs/obm7/user/addTrialUser — this sequence indicates automated trial account creation as a precursor to exploitation.
  • Alert on GET requests to /cbs/system/ShowDownload.do followed by GET to /cbs/system/download/indexTab1.jsp — this is the version-check sequence used by the exploit's check() function to fingerprint vulnerable Ahsay instances.
  • ·The exploit requires valid credentials; however, if the Ahsay server has trial accounts enabled (ENABLED response from /obs/obm7/user/isTrialEnabled), an attacker can self-register an account before exploiting — no pre-existing credentials are needed in that case.
  • ·The default upload path used by the exploit is '../../webapps/cbs/help/en'; defenders should ensure this path (and the resulting web-accessible directory) is monitored for unexpected .jsp or .exe file creation.
  • ·The exploit uses SSL/HTTPS on port 443 by default; TLS inspection is required to detect the malicious headers and payload in transit.
  • ·The exploit performs cleanup (deletes uploaded .exe, .jsp, and user account files) after execution, so forensic artifacts may be limited; focus detection on the upload and trigger phases rather than post-exploitation file presence.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.