cbcvebase.
CVE-2019-17270
published 2019-12-10

CVE-2019-17270: Yachtcontrol through 2019-10-06: It's possible to perform direct Operating System commands as an unauthenticated user via the…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
58.88%
99.0th percentile
Yachtcontrol through 2019-10-06: It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" page and parameter, where {COMMAND} will be executed and returning the results to the client. Affects Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.

Affected

1 ranges
VendorProductVersion rangeFixed in
yachtcontrolyachtcontrol<= 2019-10-06

Detection & IOCsextracted from sources · hover to see the quote

path/pages/systemcall.php?command={COMMAND}
url/pages/systemcall.php?command=cat%20/etc/passwd
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029152; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, cve CVE_2019_17270, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029153; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, cve CVE_2019_17270, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
  • Exploit is a simple unauthenticated HTTP GET request; detect GET requests to /pages/systemcall.php (or the typo variant /pages/sytemcall.php) with a 'command=' parameter, especially containing pipe characters (|7c| = '|') indicating command chaining.
  • Successful exploitation response will contain /etc/passwd content; match HTTP 200 responses with body matching 'root:.*:0:0:' to confirm RCE.
  • The vulnerability is exploited by Mirai variant EchoBot; correlate detections with known Mirai/EchoBot botnet activity.
  • Affected servers are exposed via Dutch GPRS/4G mobile IP ranges with dynamic IPs; scope monitoring to those IP ranges for inbound exploitation attempts.
  • ·The ET Snort rules use the typo variant path '/pages/sytemcall.php' (missing 'c' in 'systemcall'), while the CVE description and Nuclei template use the correctly spelled '/pages/systemcall.php'. Detection rules should cover both spellings.
  • ·Target IP addresses are dynamic (DHCP-assigned) within Dutch mobile telco ranges, making IP-based blocklisting ineffective; path/parameter-based detection is required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.