CVE-2021-29003
published 2021-04-13CVE-2021-29003: Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.42%
98.6th percentile
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| genexis | platinum_4410_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sys_config_valid.xgi?exeshell="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2021-29003; classtype:attempted-admin; sid:2033758; rev:1; metadata:attack_target Server, created_at 2021_08_22, cve CVE_2021_29003, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect HTTP GET requests targeting /sys_config_valid.xgi with the 'exeshell' query parameter, which is the injection point for shell metacharacter-based RCE.
- →After matching the URI, inspect the value following 'exeshell=' for shell metacharacters: semicolon (0x3b), newline (0x0a), ampersand (0x26), backtick (0x60), pipe (0x7C), or dollar sign (0x24).
- →The demonstrated payload uses URL-encoded backticks to wrap a command (e.g., telnetd) for execution, resulting in a persistent backdoor service being spawned on the device. ↗
- ·The vulnerability is confirmed only on a specific firmware version; other versions are not confirmed affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m43v-j8fp-7vjj: Genexis PLATINUM 4410 2
ghsa_unreviewed·2022-05-24
CVE-2021-29003 [CRITICAL] CWE-78 GHSA-m43v-j8fp-7vjj: Genexis PLATINUM 4410 2
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.
VulnCheck
genexis platinum_4410_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-29003 [CRITICAL] genexis platinum_4410_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
genexis platinum_4410_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.
Affected: genexis platinum_4410_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; https://blogs.juniper.net/en-us/threat-research/necro-python-botn
Suricata
ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)
suricata·2021-08-22·CVSS 9.8
CVE-2021-29003 [CRITICAL] ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)
ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sys_config_valid.xgi?exeshell="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2021-29003; classtype:attempted-admin; sid:2033758; rev:1; metadata:attack_target Server, created_at 2021_08_22, cve CVE_2021_29003, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
http://packetstormsecurity.com/files/162174/Genexis-PLATINUM-4410-2.1-P4410-V2-1.28-Remote-Command-Execution.htmlhttps://hackerworld.home.blog/2021/03/19/rce-in-genexis-router/http://packetstormsecurity.com/files/162174/Genexis-PLATINUM-4410-2.1-P4410-V2-1.28-Remote-Command-Execution.htmlhttps://hackerworld.home.blog/2021/03/19/rce-in-genexis-router/
2021-04-13
Published
Exploited in the wild