CVE-2017-17888

Vulnerability

cgi-bin/write.cgi in Anti-Web through version 3.8.7 (used in numerous industrial IoT devices such as NetBiter/HMS, Ouman EH-net, Alliance System WS100, Sauter ERW100F001, Carlo Gavazzi SIU-DLG, AEDILIS SMART-1, SYXTHSENSE WebBiter, ABB SREA, and ASCON DY WebServer) contains a command injection flaw. The vulnerability is triggered by sending crafted multipart/form-data content to the script. This issue is distinct from CVE-2017-9097 [1].

Exploitation

An attacker must first obtain valid authentication credentials for the web interface. With authenticated access, the attacker sends an HTTP POST request to cgi-bin/write.cgi with specially crafted multipart/form-data payload. The parameters in the multipart data are not properly sanitized before being passed to a shell command, allowing arbitrary OS commands to be injected and executed [1].

Impact

Successful exploitation allows a remote authenticated attacker to execute arbitrary operating system commands on the affected device. This can lead to full compromise of the device, including data disclosure, modification, denial of service, or use as a pivot point for further attacks on the industrial network. The CVSS v3 score is 8.8 (High) [1].

Mitigation

According to the available reference [1], no official solution or temporary workaround was available at the time of disclosure. Users should monitor vendor advisories for patches. If the device is no longer supported (EOL), replacement or network segmentation is advised. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.