cbcvebase.
CVE-2019-14931
published 2019-10-28

CVE-2019-14931: An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.66%
99.0th percentile
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.

Affected

2 ranges
VendorProductVersion rangeFixed in
ineame-rtu_firmware<= 3.0
mitsubishielectricsmartrtu_firmware<= 2.02

Detection & IOCsextracted from sources · hover to see the quote

path/action.php
command;sudo /usr/sbin/service ../../bin/nc -nvlp <port> -e /bin/sh&PingCheck=Test
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032636; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09;)
snort
alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032637; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09;)
bytes
|7b 27|host|27 20 3a 20 27 3b|
  • Exploit is delivered via HTTP POST to /action.php with a 'host' parameter containing a shell command separator (;) to inject OS commands. Look for semicolons in the 'host' POST body field targeting this endpoint.
  • The exploit POSTs a payload with the 'host' field starting with ';sudo /usr/sbin/service ../../bin/nc -nvlp <port> -e /bin/sh' to establish a bind shell. Monitor for outbound netcat listener connections from RTU devices following a POST to /action.php.
  • The Snort/Suricata byte signature |7b 27|host|27 20 3a 20 27 3b| matches the serialized POST body pattern {'host' : ';} at the start of the request body, uniquely identifying exploit attempts against this CVE.
  • The exploit targets unauthenticated access — no session cookie or authentication header is required. Detections should fire on all requests to /action.php matching the payload pattern, regardless of authentication state.
  • ·The ET Inbound rule (sid:2032636) uses HTTP method GET in the rule but the exploit sends an HTTP POST. Verify rule logic matches actual traffic method before deploying.
  • ·Affected firmware versions are Mitsubishi Electric ME-RTU through 2.02 and INEA ME-RTU through 3.0. Ensure detection scope covers both vendor device ranges.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.