CVE-2017-16806

HIGH NUCLEI

Ulterius Server < 1.9.5.0 - Directory Traversal

Title source: nuclei
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-16806. PoCs published by Rick Osgood, rickoooooo, Rick Osgood, Jacob Robles, including Metasploit module auxiliary/admin/http/ulterius_file_download. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a directory traversal vulnerability in Ulterius Server < 1.9.5.0 to retrieve arbitrary files, including the fileIndex.db which contains a list of all indexed files on the system. It can also download specific files by traversing directories via path manipulation.

Description

The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.

Exploits (3)

exploitdb WORKING POC
by Rick Osgood · pythonremotewindows
https://www.exploit-db.com/exploits/43141

This exploit leverages a directory traversal vulnerability in Ulterius Server < 1.9.5.0 to retrieve arbitrary files, including the fileIndex.db which contains a list of all indexed files on the system. It can also download specific files by traversing directories via path manipulation.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ulterius Server < 1.9.5.0
No auth needed
Prerequisites: Network access to the Ulterius server · Knowledge of the target file paths or ability to retrieve fileIndex.db
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by rickoooooo · poc
https://github.com/rickoooooo/ulteriusExploit

This is a Python exploit for CVE-2017-16806, targeting a directory traversal vulnerability in Ulterius Server versions prior to 1.9.5.0. It allows arbitrary file access by leveraging path traversal sequences and can retrieve the fileIndex.db for further enumeration.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ulterius Server < 1.9.5.0
No auth needed
Prerequisites: Network access to the Ulterius server on port 22006 or 2206 · Knowledge of file paths or ability to retrieve fileIndex.db
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Rick Osgood, Jacob Robles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/ulterius_file_download.rb

This Metasploit module exploits a directory traversal vulnerability in Ulterius Server to download arbitrary files, including the fileIndex.db which contains indexed file paths. It supports parsing the database to extract file paths or downloading specific files via path traversal.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ulterius Server < v1.9.5.0
No auth needed
Prerequisites: Network access to the Ulterius Server · Server running a vulnerable version (< v1.9.5.0)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ulterius Server < 1.9.5.0 - Directory Traversal
HIGHby geeknik

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43141/

Scores

CVSS v3 7.5
EPSS 0.8650
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (2)
ulterius/ulterius_server 1.5.6.0
ulterius/ulterius_server 1.8.0.0
Published Nov 13, 2017
Tracked Since Feb 18, 2026