CVE-2019-12725
published 2019-07-19CVE-2019-12725: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP…
PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.85%
99.8th percentile
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zeroshell | zeroshell | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22<cmd>%22%0A%27↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)"; flow:established,to_server; http.uri; content:"/kerbynet?"; nocase; fast_pattern; content:"Action="; nocase; content:"Section="; nocase; reference:cve,2019-12725; reference:url,isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/; classtype:attempted-admin; sid:2030597; rev:3; metadata:attack_target Networking_Equipment, created_at 2020_07_24, cve CVE_2019_12725, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07;)
- →Match HTTP GET requests to /kerbynet? URI containing both 'Action=' and 'Section=' parameters — the Emerging Threats Snort rule (sid:2030597) uses these three content matches as the core detection logic.
- →The Nuclei template confirms exploitation via a regex match on the response body for the /etc/passwd root entry, indicating successful OS command injection.
- →The Metasploit module checks for successful RCE by looking for 'uid=0(root)' in the HTTP response body after injecting the 'id' command. ↗
- →The privilege escalation vector abuses a NOPASSWD sudo rule for /bin/tar using --checkpoint and --checkpoint-action=exec options to run arbitrary commands as root. ↗
- →Shodan/FOFA fingerprinting: exposed Zeroshell devices can be identified by HTTP title 'zeroshell' — use for asset discovery and attack surface monitoring.
- →The x509type parameter is also an injection point (used in the Metasploit module with Action=x509view&Section=NoAuthREQ), in addition to the User parameter used in the simpler PoC. ↗
- ·The Metasploit module defaults to SSL (port 443). Detections scoped only to HTTP port 80 may miss exploitation attempts against HTTPS-enabled Zeroshell instances. ↗
- ·The Metasploit module targets x86 architecture only; payloads staged via wget cmdstager may differ for other architectures. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-83mm-jfvg-jxxh: Zeroshell 3
ghsa_unreviewed·2022-05-24
CVE-2019-12725 [CRITICAL] CWE-78 GHSA-83mm-jfvg-jxxh: Zeroshell 3
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
VulnCheck
zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-12725 [CRITICAL] zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
Affected: zeroshell zeroshell
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr; https://hei
Suricata
ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)
suricata·2020-07-24·CVSS 9.8
CVE-2019-12725 [CRITICAL] ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)
ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)"; flow:established,to_server; http.uri; content:"/kerbynet?"; nocase; fast_pattern; content:"Action="; nocase; content:"Section="; nocase; reference:cve,2019-12725; reference:url,isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/; classtype:attempted-admin; sid:2030597; rev:3; metadata:attack_target Networking_Equipment, created_at 2020_07_24, cve CVE_2019_12725, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07;)
Exploit-DB
ZeroShell 3.9.0 - Remote Command Execution
exploitdb·2021-05-13·CVSS 9.8
CVE-2019-12725 [CRITICAL] ZeroShell 3.9.0 - Remote Command Execution
ZeroShell 3.9.0 - Remote Command Execution
---
# Exploit Title: ZeroShell 3.9.0 - Remote Command Execution
# Date: 10/05/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://zeroshell.org/
# Software Link: https://zeroshell.org/download/
# Version: ") / 2])
except requests.exceptions.ConnectionError as err:
print('[x] Failed to Connect in: '+uri_zeroshell+' ')
print('[x] This host seems to be Down')
exit()
except requests.exceptions.HTTPError as conn:
print('[x] Failed to execute command in: '+uri_zeroshell+' ')
print('[x] This host does not appear to be a ZeroShell')
exit()
command()
Exploit-DB
ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)
exploitdb·2020-11-24·CVSS 9.8
CVE-2019-12725 [CRITICAL] ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)
ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Zeroshell 3.9.0 Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability
found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url.
As sudo is configured to execute /bin/tar without a password (NOPASSWD)
it is possible to run root commands using the "checkpoint" tar options.
},
'Author' => [
'Juan Manuel Fernandez', # Vulnerability discovery
'Giuseppe Fuggiano ', # Metasploit module
],
'References' => [
['CVE', '2019-12725'],
['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-r
Nuclei
Zeroshell 3.9.0 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2019-12725 [CRITICAL] Zeroshell 3.9.0 - Remote Command Execution
Zeroshell 3.9.0 - Remote Command Execution
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
Template:
id: CVE-2019-12725
info:
name: Zeroshell 3.9.0 - Remote Command Execution
author: dwisiswant0,akincibor
severity: critical
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
impact: |
Successful exploitation of this vulnerability all
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Greynoiseio
Malicious Tag Roundup (Jul 19-Aug 2, 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (Jul 19-Aug 2, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/160211/ZeroShell-3.9.0-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162561/ZeroShell-3.9.0-Remote-Command-Execution.htmlhttps://www.tarlogic.com/advisories/zeroshell-rce-root.txthttps://zeroshell.org/blog/http://packetstormsecurity.com/files/160211/ZeroShell-3.9.0-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162561/ZeroShell-3.9.0-Remote-Command-Execution.htmlhttps://www.tarlogic.com/advisories/zeroshell-rce-root.txthttps://zeroshell.org/blog/
2019-07-19
Published
Exploited in the wild