cbcvebase.
CVE-2019-8387
published 2019-05-08

CVE-2019-8387: MASTER IPCAMERA01 3.3.4.2103 devices allow Remote Command Execution, related to the thttpd component.

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
55.72%
98.9th percentile
MASTER IPCAMERA01 3.3.4.2103 devices allow Remote Command Execution, related to the thttpd component.

Affected

1 ranges
VendorProductVersion rangeFixed in
barnimaster_ip_camera01_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/bconf.cgi
path/cgi-bin/ddns_start.cgi
path/cgi-bin/getddnsattr.cgi
path/cgi-bin/getinetattr.cgi
path/cgi-bin/getnettype.cgi
path/cgi-bin/getupnp.cgi
path/cgi-bin/getwifiattr.cgi
path/cgi-bin/getwifistatus.cgi
path/cgi-bin/inetconfig.cgi
path/cgi-bin/iptest.cgi
path/cgi-bin/listwifiap.cgi
path/cgi-bin/p2p.cgi
path/cgi-bin/paraconf.cgi
path/cgi-bin/scanwifi.cgi
path/cgi-bin/setadslattr.cgi
path/cgi-bin/setddnsattr.cgi
path/cgi-bin/setinetattr.cgi
path/cgi-bin/setwifiattr.cgi
path/cgi-bin/upnp_start.cgi
path/cgi-bin/wifimode.cgi
path/cgi-bin/wifitest.cgi
command?cmd=`<command>`
  • Detect HTTP GET requests to any of the vulnerable CGI endpoints on Master IP CAM 01 devices where the 'cmd' or 'action' query parameter contains backtick-wrapped shell command injection (e.g., ?cmd=`...` or ?action=`...`)
  • Monitor for outbound HTTP requests from IP camera devices containing shell command output in the URI path, indicative of successful RCE exfiltration (e.g., wget with $(id) in the URL)
  • ·The exploit targets firmware version 3.3.4.2103 specifically; the vulnerable CGI endpoints and injection parameters may differ on other firmware versions
  • ·The exploit iterates through 21 CGI endpoints and stops at the first one returning HTTP 200; not all endpoints may be present or reachable on every device configuration

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.