CVE-2017-9097

CRITICAL

Anti-Web <3.8.7 - Path Traversal

Title source: llm

Description

In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through 3.21.2, WS100 devices through 3.30.5, EC150 devices through 1.40.0, WS200 devices through 3.30.4, EC250 devices through 1.40.0, and other products, an LFI vulnerability allows a remote attacker to read or modify files through a path traversal technique, as demonstrated by reading the password file, or using the template parameter to cgi-bin/write.cgi to write to an arbitrary file.

Exploits (1)

nomisec WORKING POC 3 stars

by MDudek-ICS · poc

https://github.com/MDudek-ICS/AntiWeb_testing-Suite

View Code ZIP pw:eip

References (3)

[Mailing List, Third Party Advisory] http://misteralfa-hack.blogspot.cl/2017/05/apps-industrial-ot-over-server-anti-web.html

[Third Party Advisory] https://github.com/ezelf/industrial_Tools/tree/master/scadas_server_antiweb/LFI

[Patch, Vendor Advisory] https://www.netbiter.com/docs/default-source/netbiter-english/software/hms-security-advisory-2017-05-24-001-ws100-ws200-ec150-ec250.zip

Scores

CVSS v3 9.1

EPSS 0.0954

EPSS Percentile 92.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-22

Status published

Products (11)

hoytech/antiweb 3.0.7 hms2

hoytech/antiweb 3.3.5

hoytech/antiweb 3.6.1

hoytech/antiweb 3.7.1

hoytech/antiweb 3.7.2

hoytech/antiweb 3.8.1

hoytech/antiweb 3.8.2

hoytech/antiweb 3.8.3

hoytech/antiweb 3.8.4

hoytech/antiweb 3.8.5

... and 1 more

Published Jun 16, 2017

Tracked Since Feb 18, 2026