CVE-2023-26609
published 2023-02-27CVE-2023-26609: ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.
PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
38.72%
98.4th percentile
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to /cgi-bin/mft/wireless_mft with shell metacharacters (;, |, %0a) in the 'ap' query parameter, indicating command injection attempts. ↗
- →Detect HTTP GET requests to /cgi-bin/admin/fileread with a READ.filePath parameter traversing to sensitive files such as /etc/passwd or /etc/boa.conf. ↗
- →Alert on use of default credentials admin:admin or manufacture:erutcafunam in HTTP Basic Auth headers targeting ABUS TVIP camera web interfaces. ↗
- →Monitor for SSH connections using legacy algorithms diffie-hellman-group1-sha1 (KEX) and ssh-rsa (HostKey) to ABUS TVIP devices, which may indicate post-exploitation persistence via the planted dropbear SSH daemon. ↗
- →Detect HTTP requests to the /device endpoint on ABUS TVIP cameras, which leaks running process lists and web content directory listings and is used for reconnaissance. ↗
- →Monitor for creation or modification of /etc/passwd on ABUS TVIP devices via the RCE vector, specifically appending new root-level user entries. ↗
- →Detect spawning of the dropbear SSH daemon (/etc/dropbear/dropbear) on ABUS TVIP devices, which is used by attackers to establish persistent remote root access. ↗
- ·The web server on affected devices is Boa/0.94.14rc21 running on GM ARM Linux 2.6; detections should account for this server banner when fingerprinting vulnerable devices. ↗
- ·ABUS conducted a replacement campaign in 2019 for affected TVIP 20000-21150 devices; any such device still network-accessible should be treated as unpatched and high-risk. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
ABUS TVIP
cisa_ics·2023-07-06·CVSS 7.2
[HIGH] ABUS TVIP
ICS Advisory
##
ABUS TVIP
Release DateJuly 06, 2023
Alert CodeICSA-23-187-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.2
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: ABUS
- Equipment: ABUS Security Camera
- Vulnerability: Command injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow arbitrary file reads or remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of ABUS TVIP, an indoor security camera, are affected:
- ABUS TVIP: 20000-21150
## 3.2 VULNERABILITY OVERVIEW
3.2.1 COMMAND INJECTION CWE-77
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_m
GHSA
GHSA-8mvx-pm2m-j8f7: ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field
ghsa_unreviewed·2023-02-27
CVE-2023-26609 [HIGH] GHSA-8mvx-pm2m-j8f7: ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.
VulnCheck
abus tvip_20000-21150_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 7.2
CVE-2023-26609 [HIGH] abus tvip_20000-21150_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
abus tvip_20000-21150_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.
Affected: abus tvip_20000-21150_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2023-26609; https://isc.sans.edu/diary/rss/29870; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-17&host_type=src&vulnerability=cve-2023-26609; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabil
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171136/ABUS-Security-Camera-TVIP-20000-21150-LFI-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Feb/16https://nwsec.de/NWSSA-001-2023.txthttp://packetstormsecurity.com/files/171136/ABUS-Security-Camera-TVIP-20000-21150-LFI-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Feb/16https://nwsec.de/NWSSA-001-2023.txt
2023-02-27
Published
Exploited in the wild