CVE-2017-7240

HIGH

Miele Professional PST10 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-7240. PoCs published by Jens Regel.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in the Miele Professional PG 8528 web server, allowing unauthenticated attackers to access sensitive files like /etc/shadow via crafted HTTP GET requests.

Description

An issue was discovered on Miele Professional PST10 devices. The corresponding embedded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1. This affects PG8527 devices 2.02 before 2.12, PG8527 devices 2.51 before 2.61, PG8527 devices 2.52 before 2.62, PG8527 devices 2.54 before 2.64, PG8528 devices 2.02 before 2.12, PG8528 devices 2.51 before 2.61, PG8528 devices 2.52 before 2.62, PG8528 devices 2.54 before 2.64, PG8535 devices 1.00 before 1.10, PG8535 devices 1.04 before 1.14, PG8536 devices 1.10 before 1.20, and PG8536 devices 1.14 before 1.24.

Exploits (1)

exploitdb WORKING POC

by Jens Regel · textremotehardware

https://www.exploit-db.com/exploits/41718

View Code ZIP pw:eip

This exploit demonstrates a directory traversal vulnerability in the Miele Professional PG 8528 web server, allowing unauthenticated attackers to access sensitive files like /etc/shadow via crafted HTTP GET requests.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Miele Professional PG 8528 with PST10 WebServer

No auth needed

Prerequisites: network access to the target device

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources x_refsource_misc

https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://seclists.org/fulldisclosure/2017/Mar/63

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41718/

Various Sources x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/97080

Scores

CVSS v3 7.5

EPSS 0.1741

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

miele_professional/pst10_webserver

Published Mar 24, 2017

Tracked Since Feb 18, 2026