CVE-2020-6627
published 2022-12-06CVE-2020-6627: The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.45%
95.7th percentile
The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET to /index.php/Start/get_firmware with X-Requested-With: XMLHttpRequest header as a fingerprinting/check step for this exploit ↗
- →Detect unauthenticated POST to /index.php/Start/set_start_info with JSON body containing 'state':'start' — this is the access-control bypass step that enables subsequent exploitation ↗
- →Detect unauthenticated POST to /index.php/Start/add_edit_user with isAdmin:true in the JSON body — this is the unauthorized admin user creation step ↗
- →Alert on SSH login (port 22) to a Seagate Central NAS immediately following the above unauthenticated HTTP POST sequence — indicates successful RCE via newly created admin account ↗
- →The exploit leverages the device being in or forced into the 'start' state; monitor for the check_device_name request as the OS command injection trigger ↗
- ·Exploit only works against firmware version 2015.0916; the check step confirms the string 'Cirrus NAS' and '2015.0916' in the /get_firmware response before proceeding ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/172590/Seagate-Central-Storage-2015.0916-User-Creation-Command-Execution.htmlhttps://github.com/rapid7/metasploit-framework/pull/12844https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/https://www.invictuseurope.com/blog/http://packetstormsecurity.com/files/172590/Seagate-Central-Storage-2015.0916-User-Creation-Command-Execution.htmlhttps://github.com/rapid7/metasploit-framework/pull/12844https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/https://www.invictuseurope.com/blog/
2022-12-06
Published