CVE-2018-5347

CRITICAL

Seagate Media Server - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-5347. PoCs published by SecuriTeam.

AI-analyzed exploit summary This exploit demonstrates unauthenticated command injection vulnerabilities in Seagate Personal Cloud's Django-based web interface. It leverages the `uploadTelemetry` and `getLogs` endpoints to execute arbitrary commands with root privileges via unsanitized GET parameters.

Description

Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.

Exploits (1)

exploitdb WORKING POC
by SecuriTeam · remotehardware
https://www.exploit-db.com/exploits/43659

This exploit demonstrates unauthenticated command injection vulnerabilities in Seagate Personal Cloud's Django-based web interface. It leverages the `uploadTelemetry` and `getLogs` endpoints to execute arbitrary commands with root privileges via unsanitized GET parameters.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Seagate Personal Cloud Home Media Storage (Django-based web interface)
No auth needed
Prerequisites: Network access to the target device · Target device must be running the vulnerable Seagate Personal Cloud software
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43659/
Exploit, Third Party Advisory x_refsource_misc
https://blogs.securiteam.com/index.php/archives/3548

Scores

CVSS v3 9.8
EPSS 0.5416
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
seagate/personal_cloud_firmware
Published Jan 12, 2018
Tracked Since Feb 18, 2026