CVE-2017-12478
CRITICALUnitrends UEB http api remote code execution
Title source: metasploitDescription
It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system.
Exploits (4)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/45559
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotelinux_x86
https://www.exploit-db.com/exploits/43030
exploitdb
WORKING POC
VERIFIED
by Jared Arave · pythonremotelinux
https://www.exploit-db.com/exploits/42958
metasploit
WORKING POC
EXCELLENT
by Cale Smith, Benny Husted, Jared Arave, h00die · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ueb_api_rce.rb
Scores
CVSS v3
9.8
EPSS
0.8158
EPSS Percentile
99.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
kaseya/unitrends_backup
< 10.0
Published
Aug 07, 2017
Tracked Since
Feb 18, 2026