cbcvebase.
CVE-2019-6447
published 2019-01-16

CVE-2019-6447: The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP…

PriorityP271high8.1CVSS 3.1
AVAACLPRNUINSUCHIHAN
EXPLOIT
EPSS
62.02%
99.1th percentile
The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.

Affected

2 ranges
VendorProductVersion rangeFixed in
estrongses_file_explorer_file_manager<= 4.1.9.7.4
googlechrome_chrome

Detection & IOCsextracted from sources · hover to see the quote

port59777
urlhttp://<target>:59777
commandPOST http://<target>:59777 Content-Type: application/json {"command":"<cmd>"}
otherContent-Type: application/json
commandlistFiles
commandgetFile
commandgetDeviceInfo
versionES File Explorer <= 4.1.9.7.4
  • Detect unauthenticated HTTP POST requests to TCP port 59777 with Content-Type: application/json body containing a 'command' key — this is the exploit trigger for CVE-2019-6447.
  • Monitor for HTTP GET requests to port 59777 with a file path appended (e.g., GET /storage/emulated/0/...) — this is the file download vector used by the exploit.
  • Flag any process or network listener binding to TCP port 59777 on an Android device; the port persists open after ES File Explorer is launched once.
  • Nmap identifies port 59777 as 'Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older' — this fingerprint on a mobile/Android device is a strong indicator of the vulnerable ES File Explorer service.
  • The Metasploit auxiliary module 'scanner/http/es_file_explorer_open_port' can be used to detect and exploit the open port; presence of this module in scan logs indicates active exploitation attempts.
  • ·The vulnerable HTTP server on port 59777 is only reachable from the local Wi-Fi network, limiting remote exploitation to network-adjacent attackers — not internet-exposed by default.
  • ·The port persists open even after the user backgrounds the app — detection/blocking should not assume the app must be actively in the foreground.
  • ·The Metasploit module was tested against version 4.1.9.5.1 specifically, though all versions through 4.1.9.7.4 are reported vulnerable.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.04.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.