cbcvebase.
CVE-2021-22652
published 2021-02-11

CVE-2021-22652: Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.84%
98.3th percentile
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
advantechiview< 5.7.03.61125.7.03.6112

Detection & IOCsextracted from sources · hover to see the quote

url/iView3/NetworkServlet
pathwebapps\iView3\
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_15;)
bytes
|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|
  • Exploit targets the unauthenticated POST endpoint /iView3/NetworkServlet to overwrite the EXPORTPATH configuration value, redirecting exports to a web-accessible path (webapps\iView3\) to enable arbitrary file write and subsequent RCE.
  • HTTP POST requests to /iView3/NetworkServlet with a body starting with 'page_action' and containing an EXPORTPATH key set to a webapps path should be treated as exploitation attempts.
  • The process running iView is typically NT AUTHORITY\SYSTEM; any new child processes spawned from the iView service process after exploitation should be investigated as potential RCE indicators.
  • ·The Snort/ET rule (sid:2032767) targets inbound traffic to $HTTP_SERVERS and $HOME_NET; ensure these variables are correctly scoped to include the iView server's IP to avoid missed detections.
  • ·The vulnerability is fixed in iView v5.7.03.6112; the demonstrated vulnerable version is 5.7.02.5992. Detection rules are only operationally relevant on unpatched instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.