cbcvebase.
CVE-2023-26609
published 2023-02-27

CVE-2023-26609: ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.

PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
38.72%
98.4th percentile
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/mft/wireless_mft?ap=testname;[command]
path/cgi-bin/mft/wireless_mft
path/cgi-bin/admin/fileread?READ.filePath=
commandcurl -iv "http://manufacture:[email protected]/cgi-bin/mft/wireless_mft?ap=testname;$1"
commandcurl -iv "http://admin:[email protected]/cgi-bin/admin/fileread?READ.filePath=/$1"
path/etc/dropbear/dropbear_rsa_host_key
path/etc/boa.conf
  • Detect HTTP GET requests to /cgi-bin/mft/wireless_mft with shell metacharacters (;, |, %0a) in the 'ap' query parameter, indicating command injection attempts.
  • Detect HTTP GET requests to /cgi-bin/admin/fileread with a READ.filePath parameter traversing to sensitive files such as /etc/passwd or /etc/boa.conf.
  • Alert on use of default credentials admin:admin or manufacture:erutcafunam in HTTP Basic Auth headers targeting ABUS TVIP camera web interfaces.
  • Monitor for SSH connections using legacy algorithms diffie-hellman-group1-sha1 (KEX) and ssh-rsa (HostKey) to ABUS TVIP devices, which may indicate post-exploitation persistence via the planted dropbear SSH daemon.
  • Detect HTTP requests to the /device endpoint on ABUS TVIP cameras, which leaks running process lists and web content directory listings and is used for reconnaissance.
  • Monitor for creation or modification of /etc/passwd on ABUS TVIP devices via the RCE vector, specifically appending new root-level user entries.
  • Detect spawning of the dropbear SSH daemon (/etc/dropbear/dropbear) on ABUS TVIP devices, which is used by attackers to establish persistent remote root access.
  • ·The web server on affected devices is Boa/0.94.14rc21 running on GM ARM Linux 2.6; detections should account for this server banner when fingerprinting vulnerable devices.
  • ·ABUS conducted a replacement campaign in 2019 for affected TVIP 20000-21150 devices; any such device still network-accessible should be treated as unpatched and high-risk.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.