CVE-2017-12478

CRITICAL

Unitrends UEB http api remote code execution

Title source: metasploit

Exploitation Summary

EIP tracks 4 public exploits for CVE-2017-12478. PoCs published by Metasploit, Jared Arave, Cale Smith, Benny Husted, Jared Arave, h00die, including Metasploit module exploits/linux/http/ueb_api_rce.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass and command injection vulnerability in Unitrends Backup (UEB) versions before 10.0.0 and UEB < 10.1.0. It leverages SQL injection for authentication bypass and command injection via unvalidated input parameters in the API endpoints.

Description

It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/45559

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass and command injection vulnerability in Unitrends Backup (UEB) versions before 10.0.0 and UEB < 10.1.0. It leverages SQL injection for authentication bypass and command injection via unvalidated input parameters in the API endpoints.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unitrends Backup (UEB) before 10.0.0 and UEB < 10.1.0

No auth needed

Prerequisites: Network access to the target system · Target system running vulnerable UEB version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux_x86

https://www.exploit-db.com/exploits/43030

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass and command injection vulnerability in Unitrends Backup (UB) before 10.0.0 via the api/storage endpoint. It uses a SQLi-based session token to bypass authentication and injects arbitrary commands through the hostname parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unitrends Backup (UB) before 10.0.0

No auth needed

Prerequisites: Network access to the target system · Target running Unitrends Backup (UB) before 10.0.0

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Jared Arave · pythonremotelinux

https://www.exploit-db.com/exploits/42958

View Code ZIP pw:eip

This exploit leverages a SQL injection vulnerability for authentication bypass and command injection to achieve unauthenticated root remote code execution on Unitrends UEB 9.1. It sends a crafted payload to execute a reverse shell or a custom command.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unitrends UEB 9.1

No auth needed

Prerequisites: Network access to the target · Target running Unitrends UEB 9.1

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Cale Smith, Benny Husted, Jared Arave, h00die · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ueb_api_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass and command injection vulnerability in Unitrends Backup (UEB) versions before 10.0.0. It leverages SQL injection for authentication bypass and command injection via unvalidated input parameters in the API endpoints.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unitrends Backup (UEB) before 10.0.0

No auth needed

Prerequisites: Network access to the target system · API endpoint accessibility

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43030/

Vendor Advisory x_refsource_confirm

https://support.unitrends.com/UnitrendsBackup/s/article/000005756

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45559/

Scores

CVSS v3 9.8

EPSS 0.8158

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (1)

kaseya/unitrends_backup < 10.0

Published Aug 07, 2017

Tracked Since Feb 18, 2026