A vulnerability was found in Huawei VCM5010 (version unknown). It has been classified as critical. This affects an unknown function. The manipulation with an unknown input leads to a unrestricted upload vulnerability. CWE is classifying the issue as CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

VCM5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system.

The bug was discovered 03/29/2017. The weakness was released 11/22/2017 with Huawei (Website). It is possible to read the advisory at huawei.com. This vulnerability is uniquely identified as CVE-2017-2737 since 12/01/2016. It is possible to initiate the attack remotely. The successful exploitation requires a authentication. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 01/11/2023). The attack technique deployed by this issue is T1608.002 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 238 days. During that time the estimated underground price was around $5k-$25k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 109850 and 109852.

Productinfo

Vendor

• Huawei

Name

• VCM5010

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion