cbcvebase.
CVE-2020-8605
published 2020-05-27

CVE-2020-8605: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations…

PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
87.58%
99.7th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_web_security_virtual_appliance
trendmicrointerscan_web_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

port8443
port8080
port8983
url/solr/collection0/replication?command=filecontent&wt=filestream&generation=1&file=../../../../../../../
path/rest/commonlog/get_sessionID
path/rest/commonlog/log_setting/mount_device
cookieJSESSIONID
commandmount $(perl -e 'system(pack(qq,H<len>,,qq,<hex_payload>,))') /var/offload
path/var/offload
  • Monitor HTTP POST requests to /rest/commonlog/log_setting/mount_device containing shell metacharacters (e.g., $(), backticks) in the mount_device JSON parameter — this is the command-injection sink.
  • Detect unauthenticated GET requests to the internal Apache Solr endpoint on port 8983 (e.g., /solr/collection0/replication?command=filecontent) arriving via the proxy on port 8080 — indicates SSRF/path-traversal chaining.
  • Alert on path-traversal sequences (../ repeated 7 times) in the 'file' parameter of Solr replication requests, used to read catalina.out and harvest JSESSIONID values.
  • Look for GET requests to /rest/commonlog/get_sessionID with a JSESSIONID cookie — the exploit validates stolen session tokens via this endpoint before proceeding to RCE.
  • Detect payload delivery pattern: perl -e 'system(pack(...))' embedded inside a mount command in the mount_device POST body — hex-encoded Python meterpreter dropper.
  • Flag inbound TLS connections to port 8443 (admin interface) followed shortly by connections to port 8080 (proxy) from the same source IP — characteristic of the multi-stage exploit chain.
  • The exploit notes IOC_IN_LOGS side-effect; review catalina.out for anomalous JSESSIONID harvesting activity and unexpected mount commands.
  • ·The exploit targets the default SSL admin port 8443; if the appliance is configured on a non-default port the RPORT must be adjusted — detections keyed on port 8443 alone may miss such deployments.
  • ·The proxy SSRF step requires port 8080 to be reachable from the attacker; if the proxy port is firewalled or changed from default, the unauthenticated cookie-hijack stage will fail (exploit falls back to requiring valid credentials).
  • ·Cookie hijack succeeds only if an admin or user has an active session whose JSESSIONID appears in catalina.out; if no active sessions exist the exploit cannot proceed without valid credentials.
  • ·Affected versions are strictly prior to 6.5 SP2 Patch 4 Build 1901; patched appliances are not vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.