cbcvebase.
CVE-2019-19356
published 2020-02-07

CVE-2019-19356: Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in…

PriorityP183high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
27.96%
97.9th percentile
Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.

Affected

2 ranges
VendorProductVersion rangeFixed in
netis-systemswf2419_firmware
netis-systemswf2419_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin-igd/netcore_set.cgi
path/cgi-bin-igd/netcore_get.cgi
commandmode_name=netcore_set&tools_type=2&tools_ip_url=|+<cmd>&tools_cmd=1&net_tools_set=1&wlan_idx_num=0
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin-igd/netcore_set.cgi"; http.request_body; content:"mode_name=netcore_set&tools_type=2&tools_ip_url=|7c|+"; fast_pattern; content:"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"; distance:0; reference:cve,2019-19356; reference:url,www.exploit-db.com/exploits/48149; classtype:attempted-admin; sid:2030278; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, cve CVE_2019_19356, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|7c|+
  • Exploit POST body to /cgi-bin-igd/netcore_set.cgi contains pipe character (URL-encoded as |7c|) in the tools_ip_url parameter, used to inject OS commands via the tracert diagnostic tool.
  • Command output is retrieved via a follow-up POST to /cgi-bin-igd/netcore_get.cgi with body mode_name=netcore_get&no=no; monitor for this two-stage request pattern.
  • Successful exploitation returns a JSON response with 'SUCCESS' as the first element; defenders can monitor for this response pattern on the CGI endpoint.
  • The Snort/ET rule uses fast_pattern on the pipe-encoded injection string in the HTTP request body; deploy the ET rule SID 2030278 at the network perimeter targeting inbound HTTP to IoT/router management interfaces.
  • ·The vulnerability requires authentication to the router web management page; exploitation is only possible post-login (authenticated RCE).
  • ·Two firmware versions are confirmed vulnerable: V1.2.31805 and V2.2.36123; scope detection/patching efforts to devices running these versions.
  • ·The ET Snort rule (SID 2030278) incorrectly specifies http.method content:"GET" while the exploit PoC uses HTTP POST; verify rule behaviour in your IDS/IPS before relying solely on this signature.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.