cbcvebase.
CVE-2019-7667
published 2019-07-01

CVE-2019-7667: Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.50%
90.3th percentile
Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force to identify the database backup file name. A malicious actor can exploit this issue to download the database file and disclose login information, which can allow the attacker to bypass authentication and have full access to the system.

Affected

1 ranges
VendorProductVersion rangeFixed in
primasystemsflexair<= 2.3.38

Detection & IOCsextracted from sources · hover to see the quote

path/links/Nova_Config_2019-01-03.bck
path/Nova/assets/Nova_Config_2019-01-03.bck
path/links/Nova_Config_2019-01-03_13-53.pdb3
path/links/Nova_Config_
hash0dfcfa8cc7fd39d96ffe22dd406b5065
hash1af01c4a5a4ec37f451a9feb20a0bbbe
  • Monitor HTTP GET requests matching the pattern /links/Nova_Config_<YYYY-MM-DD>.bck or /links/Nova_Config_<YYYY-MM-DD_HH-MM>.pdb3 — sequential date-based brute-force of backup filenames is the core attack technique.
  • Alert on unauthenticated HTTP 200 responses to requests for *.bck or *.pdb3 files under /links/ or /Nova/assets/ paths on the FlexAir web interface.
  • Detect authentication bypass attempts using MD5 password hashes extracted from the downloaded SQLite database; look for login attempts with known default MD5 hashes for 'superadmin' and 'sysadmin' accounts.
  • Query the 'users' table in any recovered SQLite .bck/.pdb3 backup for columns usrloginname and usrloginpassword to identify exposed credentials.
  • ·The backup file naming scheme changed between older and newer versions: older versions use /links/Nova_Config_<YYYY-MM-DD>.bck or /Nova/assets/Nova_Config_<YYYY-MM-DD>.bck, while newer (pre-fix) versions use /links/Nova_Config_<YYYY-MM-DD_HH-MM>.pdb3, requiring time-component brute-force as well.
  • ·The vulnerability is fixed in version 2.4 and later; systems running FlexAir 2.3.38 and prior remain exploitable.
  • ·Passwords are stored as unsalted MD5 hashes in the SQLite backup database, enabling direct pass-the-hash or rapid offline cracking for authentication bypass.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.