cbcvebase.
CVE-2020-10173
published 2020-03-05

CVE-2020-10173: Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute…

PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
77.28%
99.5th percentile
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter to ping.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
comtrendvr-3033_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/ping.cgi
  • Trend Micro Deep Discovery Inspector rule 4689 detects Comtrend Remote Command Execution exploit attempts over HTTP
  • Trend Micro Deep Discovery Inspector rule 2452 detects Wget command-line injection, used by this Mirai variant for payload delivery
  • The Mirai variant is detected under the signature IoT.Linux.MIRAI.VWISI (new) and Backdoor.Linux.MIRAI.VWIUJ (old)
  • The malware uses XOR key 0x04 to encrypt embedded credentials; decrypting XOR-0x04 blobs in IoT malware samples may reveal brute-force credential lists targeting this campaign
  • Exploit targets the pingIpAddress parameter in ping.cgi on Comtrend VR-3033 routers; monitor HTTP POST requests to /ping.cgi containing shell metacharacters in the pingIpAddress field
  • ·The extracted brute-force credential list is XOR-encoded with key 0x04 inside the malware binary; the plaintext credentials listed in the report were decoded from the sample and represent the full set used by this variant
  • ·CVE-2020-10173 exploitation requires authentication; the Mirai variant likely leverages brute-forced credentials before injecting commands via the ping/traceroute diagnostic pages

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_oracle9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.