Need to Report an Incident? Call +1 (877) 707-7997

Guidance on the SolarWinds Orion Compromise       

CVE-2020-27130 Cisco Security Manager Vulnerability

Golang Worm
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

CISCO Backdoor Malware Overview

This report is about a critical Cisco Security Manager path traversal vulnerability that is being tracked as CVE-2020-27130. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to gain access to sensitive data and download files from the targeted device. Cisco has released software updates that remediate this vulnerability in the affected product versions.

Tactics, Techniques and Procedures

CVE-2020-27130 is a critical Cisco Security Manager path traversal vulnerability that could lead to a remote attacker accessing and manipulating sensitive data. This vulnerability is due to improper validation of directory traversal character sequences in requests sent to devices running the vulnerable software versions. The software weakness involved in CVE-2020-27130 is CWE-35 (Path Traversal). CWE-35 is present when software does not properly neutralize character sequences that resolve to locations outside of the restricted directory. This allows an attacker to traverse the file system to gain access to sensitive data. 

An unauthenticated, remote attacker could exploit CVE-2020-27130 by sending a crafted request to a vulnerable device. Successful exploitation could allow the attacker to view sensitive data and download arbitrary files from the targeted host.

The only products known to be affected by CVE-2020-27130 are Cisco Security Manager versions 4.21 and prior.

When targeting Joomla systems, the malware downloads zip files called joomlahide.zip and joomla.zip from the domain shellx[.]org. One zip file contains a backdoor built for uploading files and the other archive contains the An0n_3xPloiTeR web shell. The An0n_3xPloiTeR is designed to deface websites, change the colors of the site, inject code, logout/self-removal options, and much more.

Business Unit Impact

  • Could lead to unauthorized access, manipulation, and exfiltration of sensitive company data

Recommendations

Companies using one of the affected Cisco Security Manager versions, are encouraged to verify that the latest version available is in use and if this is not the case to update to this version to remediate against this threat in your environment.

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates