CVE-2020-10173
published 2020-03-05CVE-2020-10173: Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute…
PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
77.28%
99.5th percentile
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter to ping.cgi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comtrend | vr-3033_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trend Micro Deep Discovery Inspector rule 4689 detects Comtrend Remote Command Execution exploit attempts over HTTP ↗
- →Trend Micro Deep Discovery Inspector rule 2452 detects Wget command-line injection, used by this Mirai variant for payload delivery ↗
- →The Mirai variant is detected under the signature IoT.Linux.MIRAI.VWISI (new) and Backdoor.Linux.MIRAI.VWIUJ (old) ↗
- →The malware uses XOR key 0x04 to encrypt embedded credentials; decrypting XOR-0x04 blobs in IoT malware samples may reveal brute-force credential lists targeting this campaign ↗
- →Exploit targets the pingIpAddress parameter in ping.cgi on Comtrend VR-3033 routers; monitor HTTP POST requests to /ping.cgi containing shell metacharacters in the pingIpAddress field ↗
- ·The extracted brute-force credential list is XOR-encoded with key 0x04 inside the malware binary; the plaintext credentials listed in the report were decoded from the sample and represent the full set used by this variant ↗
- ·CVE-2020-10173 exploitation requires authentication; the Mirai variant likely leverages brute-forced credentials before injecting commands via the ping/traceroute diagnostic pages ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_oracle9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9695-x59r-82q9: Comtrend VR-3033 DE11-416SSG-C01_R02
ghsa_unreviewed·2022-05-24
CVE-2020-10173 [HIGH] GHSA-9695-x59r-82q9: Comtrend VR-3033 DE11-416SSG-C01_R02
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter to ping.cgi.
VulnCheck
comtrend vr-3033_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 8.8
CVE-2020-10173 [HIGH] comtrend vr-3033_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
comtrend vr-3033_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter to ping.cgi.
Affected: comtrend vr-3033_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://www.trendmicro.com/en_us/research/20/g/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173.ht
VulnCheck
LG supersign_cms Improper Control of Generation of Code ('Code Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-17173 [CRITICAL] LG supersign_cms Improper Control of Generation of Code ('Code Injection')
LG supersign_cms Improper Control of Generation of Code ('Code Injection')
LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
Affected: LG supersign_cms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/; https://www.trendmicro.com/en_us/research/20/g/new-
VulnCheck
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE Remote Command Execution
vulncheck·2016·CVSS 9.8
CVE-2016-20016 [CRITICAL] MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE Remote Command Execution
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE Remote Command Execution
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
Affected: mvpower tv-7104he_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Referen
Oracle
Oracle Oracle Communications Applications Risk Matrix: Diameter Gateway and SDK (xstream) — CVE-2019-10173
vendor_oracle·2020-10-15·CVSS 9.8
CVE-2019-10173 [CRITICAL] Oracle Oracle Communications Applications Risk Matrix: Diameter Gateway and SDK (xstream) — CVE-2019-10173
Oracle Oracle Communications Applications Risk Matrix: Diameter Gateway and SDK (xstream) vulnerability
CVE: CVE-2019-10173
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2020 (OCT 2020)
Suricata
ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)
suricata·2020-07-13·CVSS 8.8
CVE-2020-10173 [HIGH] ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)
ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)
Rule: alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ping.cgi?pingIpAddress="; fast_pattern; content:"|3b|"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/; reference:cve,2020-10173; classtype:attempted-admin; sid:2030502; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_07_13, cve CVE_2020_10173, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag Description_Gen
Checkpoint
15th November – Threat Intelligence Report
blogs_checkpoint·2021-11-15
CVE-2021-42237 15th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th November, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research notes a 178% increase in the number of malicious shopping websites, compared to the rest of the year, spotting over 5300 different malicious websites per week ahead of the end of this year’s e-shopping season.
Check Point Research has analyzed the operations of threat actor MosesStaff following its
Securelist
ddos-attacks-in-q2-2020
blogs_securelist·2020-10-28·CVSS 8.8
[HIGH] ddos-attacks-in-q2-2020
Table of Contents
- News overview
- Quarter trends
- Quarter statistics
- Quarter results
- Conclusion
Authors
- Oleg Kupreev
- Alexander Gutnikov
- Ekaterina Badovskaya
## News overview
Q3 was relatively calm from a DDoS perspective. There were no headline innovations, although cybercriminals did continue to master techniques and develop malware already familiar to us from the last reporting period. For example, another DDoS botnet joined in the assault on Docker environments. The perpetrators infiltrated the target server, created an infected container, and placed in it the Kaiten bot (also known as Tsunami), paired with a cryptominer.
The Lucifer botnet, which first appeared on researchers’ radar last quarter, and knows all about DDoS attacks and cryptocurrency mining, got an upd
Securelist
DDoS attacks in Q3 2020
blogs_securelist·2020-10-28·CVSS 8.8
[HIGH] DDoS attacks in Q3 2020
Table of Contents
News overview
Quarter trends
Quarter statistics
Methodology
Quarter results
Attack geography
Dynamics of the number of DDoS attacks
Duration and types of DDoS attacks
Conclusion
Authors
Oleg Kupreev
Alexander Gutnikov
Ekaterina Badovskaya
## News overview
Q3 was relatively calm from a DDoS perspective. There were no headline innovations, although cybercriminals did continue to master techniques and develop malware already familiar to us from the last reporting period. For example, another DDoS botnet joined in the assault on Docker environments. The perpetrators infiltrated the target server, created an infected container, and placed in it the Kaiten bot (also known as Tsunami), paired with a cryptominer.
The Lucifer botnet, which first appeared on researc
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
blogs_unit42·2020-09-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
## Executive Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability, analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from their own sites.
Recently, Unit 42 researchers found exploits in the wild leveraging the vBulletin pre-auth RCE vulnerability CVE-2020-17496. The exploits are a bypass of the fix for the previous vulnerability, CVE-2019-16759, which allows attackers to send a crafted HTTP request wi
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
blogs_unit42·2020-09-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Haozhe Zhang
Qi Deng
Zhibin Zhang
Ruchna Nigam
Published: September 3, 2020
Threat Research
Vulnerabilities
CVE-2019-16759
CVE-2020-17496
Exploits
## Executive Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability , analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organi
Trendmicro
Mirai Botnet Attack IoT Devices via CVE-2020-5902
blogs_trendmicro·2020-07-28·CVSS 9.8
CVE-2020-5902 [CRITICAL] Mirai Botnet Attack IoT Devices via CVE-2020-5902
# Mirai Botnet Attack IoT Devices via CVE-2020-5902
Based on the workaround published for CVE-2020-5902, we found a Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.
By: Augusto Remillano II, Jemimah Molina
2020/07/28
Read time: ( words)
Save to Folio
Update as of 10:00 A.M. PST, July 30, 2020: Our continued analysis of the malware sample showed adjustments to the details involving the URI and Shodan scan parameters. We made the necessary changes in this post. We would like to thank F5 Networks for reaching out to us to clarify these details.
Following the initial disclosure of two F5 BIG-IP vulnerabilities on the first week of July, we continued monitoring and analyzing the vulnerabilit
Trendmicro
This Week in Security News: 07/10/2020
blogs_trendmicro·2020-07-10·CVSS 8.8
[HIGH] This Week in Security News: 07/10/2020
Exploits & Vulnerabilities
## This Week in Security News: 07/10/2020
This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums.
By: Jon Clay 2020/07/10 Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173. Read on:
Cloud Security is Simple, Absolutely Simple.
“Cloud security is simple, absolutely simple. Stop over compl
Trendmicro
This Week in Security News: 07/10/2020
blogs_trendmicro·2020-07-10·CVSS 8.8
[HIGH] This Week in Security News: 07/10/2020
Exploits y vulnerabilidades
## This Week in Security News: 07/10/2020
This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums.
By: Jon Clay Jul 10, 2020 Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173. Read on:
Cloud Security is Simple, Absolutely Simple.
“Cloud security is simple, absolutely simple. Stop over co
Trendmicro
This Week in Security News: 07/10/2020
blogs_trendmicro·2020-07-10·CVSS 8.8
[HIGH] This Week in Security News: 07/10/2020
Exploits & Vulnerabilities
# This Week in Security News: 07/10/2020
This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums.
By: Jon Clay
2020/07/10
Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173. Read on:
Cloud Security is Simple, Absolutely Simple.
“Cloud security is simple, absolutely simple. Stop over compl
Trendmicro
This Week in Security News: 07/10/2020
blogs_trendmicro·2020-07-10·CVSS 8.8
[HIGH] This Week in Security News: 07/10/2020
Exploits & Vulnerabilities
## This Week in Security News: 07/10/2020
This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums.
By: Jon Clay Jul 10, 2020 Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173. Read on:
Cloud Security is Simple, Absolutely Simple.
“Cloud security is simple, absolutely simple. Stop over com
Trendmicro
This Week in Security News: 07/10/2020
blogs_trendmicro·2020-07-10·CVSS 8.8
[HIGH] This Week in Security News: 07/10/2020
Ausnutzung von Schwachstellen
## This Week in Security News: 07/10/2020
This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums.
By: Jon Clay Jul 10, 2020 Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173. Read on:
Cloud Security is Simple, Absolutely Simple.
“Cloud security is simple, absolutely simple. Stop over
Trendmicro
This Week in Security News: 07/10/2020
blogs_trendmicro·2020-07-10·CVSS 8.8
[HIGH] This Week in Security News: 07/10/2020
Sfruttamento vulnerabilità
## This Week in Security News: 07/10/2020
This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums.
By: Jon Clay Jul 10, 2020 Read time: ( words)
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173. Read on:
Cloud Security is Simple, Absolutely Simple.
“Cloud security is simple, absolutely simple. Stop over com
Trendmicro
Neue Mirai-Variante für weitere Schwachstellen
blogs_trendmicro·2020-07-09·CVSS 8.8
CVE-2020-10173 [HIGH] Neue Mirai-Variante für weitere Schwachstellen
Malware
## Neue Mirai-Variante für weitere Schwachstellen
Eine neue Mirai-Variante nutzt neun Schwachstellen aus, die teilweise erstmalig betroffen sind.
By: Jemimah Molina, Augusto Remillano II Jul 09, 2020 Read time: ( words)
Save to Folio
Originalbeitrag von Agusuto Remillano II und Jemimah Molina
Eine neue Mirai-Variante ( IoT.Linux.MIRAI.VWISI ) nutzt neun Schwachstellen aus. Die bemerkenswerteste davon ist CVE-2020-10173 in Comtrend VR-3033-Routern, denn diese war von früheren Mirai-Varianten nicht betroffen. Die meisten Schwachstellen, die diese Mirai-Variante ausnutzt, bestehen aus einer Kombination aus Alt und Neu, die dazu beitragen, ein weites Netz zu spannen, das verschiedene Arten von angeschlossenen Geräten umfasst. Die neun in dieser Kampagne verwendeten Lücken betreff
Trendmicro
New Mirai Variant Expands, Exploits CVE-2020-1017
blogs_trendmicro·2020-07-08·CVSS 7.8
CVE-2020-10173 [HIGH] New Mirai Variant Expands, Exploits CVE-2020-1017
IoT
## New Mirai Variant Expands, Exploits CVE-2020-10173
We discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
By: Augusto Remillano II, Jemimah Molina Jul 08, 2020 Read time: ( words)
Save to Folio
We discovered a new Mirai variant (detected as IoT.Linux.MIRAI.VWISI ) that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
This discovery is a new addition to the Mirai variants that appeared in the past few months, that include SORA, UNSTABLE, and Mukashi . The case, however, showcases the ever-expanding arsenal of vulnerabilities ne
Trendmicro
New Mirai Variant Expands, Exploits CVE-2020-1017
blogs_trendmicro·2020-07-08·CVSS 7.8
CVE-2020-10173 [HIGH] New Mirai Variant Expands, Exploits CVE-2020-1017
IoT
# New Mirai Variant Expands, Exploits CVE-2020-10173
We discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
By: Augusto Remillano II, Jemimah Molina
2020/07/08
Read time: ( words)
Save to Folio
We discovered a new Mirai variant (detected as IoT.Linux.MIRAI.VWISI) that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
This discovery is a new addition to the Mirai variants that appeared in the past few months, that include SORA, UNSTABLE, and Mukashi. The case, however, showcases the ever-expanding arsenal of vulnerabilities new Mi
Trendmicro
New Mirai Variant Expands, Exploits CVE-2020-1017
blogs_trendmicro·2020-07-08·CVSS 7.8
CVE-2020-10173 [HIGH] New Mirai Variant Expands, Exploits CVE-2020-1017
IoT
## New Mirai Variant Expands, Exploits CVE-2020-10173
We discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
By: Augusto Remillano II, Jemimah Molina 2020/07/08 Read time: ( words)
Save to Folio
We discovered a new Mirai variant (detected as IoT.Linux.MIRAI.VWISI ) that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not observed exploited by past Mirai variants.
This discovery is a new addition to the Mirai variants that appeared in the past few months, that include SORA, UNSTABLE, and Mukashi . The case, however, showcases the ever-expanding arsenal of vulnerabilities new
2020-03-05
Published
Exploited in the wild