cbcvebase.
CVE-2019-16663
published 2019-10-28

CVE-2019-16663: An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand…

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
84.70%
99.7th percentile
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand parameter is passed to the exec function without filtering, which can lead to command execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig

Detection & IOCsextracted from sources · hover to see the quote

path/search.crud.php
url/search.crud.php?searchTerm=&catCommand=%22%22
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.crud.php?searchTerm="; http.uri.raw; content:"&catCommand=%22%22"; fast_pattern; reference:cve,2019-16663; classtype:attempted-admin; sid:2033428; rev:1; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_16663, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • CVE-2019-16663 is exploited via HTTP GET request to /search.crud.php with the `catCommand` parameter containing unsanitized OS commands passed directly to exec(). Monitor for GET requests to this path with shell metacharacters (e.g., `;`, `|`, `&`) in the `catCommand` parameter.
  • The Emerging Threats Snort rule (SID 2033428) triggers on HTTP GET requests to `/search.crud.php?searchTerm=` with `&catCommand=%22%22` in the raw URI. Deploy this rule at perimeter and internal network sensors.
  • Proof-of-concept exploits for CVE-2019-16663 were publicly published. Both CVE-2019-16662 and CVE-2019-16663 affect all versions of rConfig and were unpatched at time of disclosure.
  • ·The Snort rule (SID 2033428) targets the specific URI pattern `/search.crud.php?searchTerm=` with `&catCommand=%22%22`. Attackers may URL-encode payloads differently or use alternate shell metacharacters, potentially evading this exact signature.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.