cbcvebase.
CVE-2019-7276
published 2019-07-01

CVE-2019-7276: Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.

PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.38%
99.8th percentile
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.

Affected

2 ranges
VendorProductVersion rangeFixed in
optergyenterprise<= 2.3.0a
optergyproton<= 2.3.0a

Detection & IOCsextracted from sources · hover to see the quote

url/tools/ajax/ConsoleResult.html?get
url/tools/ajax/ConsoleResult.html
path/tools/ajax/ConsoleResult.html
pathConsole.jsp
uaBB/BMS-251.4ev4h
commandcommand=cat /etc/passwd&challenge={{challenge}}&answer={{ sha1(challenge) + md5(sha1(challenge)) }}
commandsudo
  • Detect unauthenticated GET requests to the backdoor challenge endpoint /tools/ajax/ConsoleResult.html?get, followed by a POST to the same path with 'command', 'challenge', and 'answer' parameters.
  • The exploit answer parameter is computed as SHA1(challenge) concatenated with MD5(SHA1(challenge)). Detecting this specific two-step hash pattern in POST body parameters can identify exploitation attempts.
  • Alert on HTTP requests containing the User-Agent string 'BB/BMS-251.4ev4h', which is hardcoded in the public exploit PoC.
  • Monitor for HTTP responses with Content-Type application/json and body matching regex 'root:.*:0:0:' as an indicator of successful exploitation via the backdoor console.
  • Shodan query 'html:"Optergy"' can be used to identify internet-exposed Optergy BMS devices potentially vulnerable to this CVE.
  • Successful exploitation results in root command execution using sudo as user 'optergy'. Monitor for sudo usage by the 'optergy' OS user as a post-exploitation indicator.
  • ·The vulnerability affects Optergy Proton and Enterprise BMS versions 2.0.3a and below. Version 2.3.0a is also explicitly referenced in the public exploit. Ensure version scoping is applied when triaging alerts.
  • ·The backdoor console endpoint is undocumented and unauthenticated — no credentials are required to reach it, meaning perimeter authentication controls alone are insufficient to block exploitation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.