cbcvebase.
CVE-2019-18396
published 2019-10-31

CVE-2019-18396: An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. A Command Injection in the Ping module in the…

PriorityP276high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.21%
96.5th percentile
An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. A Command Injection in the Ping module in the Web Interface in OI_Fw_V20 allows remote attackers to execute arbitrary OS commands in the pingAddr parameter to mnt_ping.cgi. NOTE: This may overlap CVE-2017–14127.

Affected

1 ranges
VendorProductVersion rangeFixed in
technicolortd5130v2_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/mnt_ping.cgi
commandisSubmit=1&addrType=3&pingAddr=;ls&send=Send
url/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-18396/CVE-2017-14127 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_18396, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-18396/CVE-2017-14127 (Outbound)"; flow:established,to_server; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_18396, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
  • Exploit targets HTTP POST to /mnt_ping.cgi with command injection payload in the 'pingAddr' parameter using semicolon (;) as command separator
  • In-the-wild exploitation (e.g., by Mirai variant EchoBot) uses GET requests to /mnt_ping.cgi with URL-encoded semicolon (|3b|) in pingAddr parameter
  • Monitor both inbound and outbound HTTP traffic for the URI pattern /mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr= as covered by ET rules sid:2029155 (inbound) and sid:2029154 (outbound)
  • Exploitation linked to Mirai variant EchoBot; correlate with known Mirai botnet IoCs when this CVE is triggered
  • ·The vulnerability exists only in third-party Oi firmware (OI_Fw_V20) installed on Technicolor TD5130v2 devices, not in stock Technicolor firmware
  • ·This CVE may overlap with CVE-2017-14127, so detections should consider both CVEs together (as reflected in the ET Snort rules referencing both)

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.