cbcvebase.
CVE-2019-10854
published 2019-05-23

CVE-2019-10854: Computrols CBAS 18.0.0 allows Authenticated Command Injection.

PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.99%
85.6th percentile
Computrols CBAS 18.0.0 allows Authenticated Command Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
computrolscomputrols_building_automation_software<= 19.0.0

Detection & IOCsextracted from sources · hover to see the quote

urlcbas/index.php?m=auth&a=agg_post&code=test
urlcbas/index.php?m=auth&a=logout
urlcbas/json.php
commandDispatchHistoryQuery -i "$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')"
  • Monitor HTTP POST requests to cbas/json.php containing a base64-encoded 'p' parameter, which is the delivery mechanism for the command injection payload.
  • Detect the auth bypass sequence: a GET request to cbas/index.php?m=auth&a=agg_post&code=test followed by access to cbas/json.php with the same PHPSESSID cookie, indicating unauthenticated exploitation chaining CVE-2019-10853 and CVE-2019-10854.
  • Alert on the static exploit cookie value PHPSESSID=comparemetoasummersday appearing in HTTP requests to CBAS web endpoints.
  • Detect command injection strings containing 'DispatchHistoryQuery' with a subshell $(python -c ...) construct in the POST body to cbas/json.php.
  • The server response 'Access Forbidden' from cbas/json.php indicates an unauthenticated session; absence of this string after hitting the auth bypass URL signals a successful bypass and imminent exploitation attempt.
  • ·The server-side input filter in exectools.php blocks specific characters, meaning payloads will never contain these characters in plaintext — detection rules must account for base64-encoded or chr()-obfuscated payloads that bypass this filter.
  • ·The exploit affects CBAS-Web versions 19.0.0 and below (NVD references 18.0.0 specifically); detection should not be scoped to a single version.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.