cbcvebase.
CVE-2019-12780
published 2019-06-10

CVE-2019-12780: The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST…

PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.99%
99.4th percentile
The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.

Detection & IOCsextracted from sources · hover to see the quote

path/upnp/control/basicevent1
hashd6ebabf44849951d754ee2de15a24b92
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; startswith; endswith; http.request_header; header_lowercase; content:"soapaction|3a 20|"; startswith; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:6;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; startswith; endswith; http.request_header; header_lowercase; content:"soapaction|3a 20|"; startswith; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:6;)
bytes
|3c|SmartDevURL|3e 60|
bytes
urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo
  • Exploit targets HTTP POST to /upnp/control/basicevent1 with SOAPAction header containing 'SetSmartDevInfo' and a backtick-prefixed command injected in the <SmartDevURL> body element — no authentication required.
  • Other Wemo devices (non-Crock-Pot) are known to be affected on RPORT 49153 — monitor that port for the same POST/SOAPAction pattern.
  • The byte sequence |3c|SmartDevURL|3e 60| in the HTTP request body represents '<SmartDevURL>` (backtick), indicating shell command injection — flag any HTTP body containing this pattern.
  • The exploit has been associated with the Echobot malware campaign (Mirai variant) — correlate detections with known Mirai/Echobot IoT botnet infrastructure.
  • ·The Snort/Suricata rules (sid:2027486, sid:2027487) cover both inbound and outbound directions — deploy both on perimeter sensors to catch exploitation attempts from external actors AND lateral movement from already-compromised internal IoT devices.
  • ·Default affected port for the Wemo Crock-Pot differs from other Wemo devices (49153); ensure detection rules cover both ports to avoid blind spots.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.