Pierluigi Paganini March 20, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Edimax IC-7100 IP Camera, NAKIVO, and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
• CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
• CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability

In early March, 2025, US CISA warned that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.

The issue is an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’. Edimax IC-7100 fails to properly sanitize requests, an attacker can create specially crafted requests to achieve remote code execution on the device. Report suspected malicious activity to CISA for tracking and correlation with other incidents.

The flaw impacts all C-7100 IP Camera versions and has yet to address the vulnerability because these cameras are end-of-life products.

The advisory doesn’t confirm exploitation of the flaw in the wild, however, the USE agency urges organizations to report suspected malicious activity for tracking and correlation.

Akamai researchers discovered the vulnerability, and the cyber security firm confirmed ([1],[2]) that the flaw is actively exploited in the wild.

The experts observed multiple Mirai-based botnets that are currently exploiting multiple flaws, including Edimax IC-7100 IP cameras.

Threat actors exploit remote command execution to run a shell script that downloads a Mirai malware payload from a remote server.

The second flaw added to the catalog, tracked as CVE-2024-48248, is a path traversal issue that allows unauthenticated attackers to read sensitive files like “/etc/shadow” via the “/c/router” endpoint, affecting all versions before 10.11.3.86570.

The vulnerability was patched in November 2024 with version 11.0.0.88174, watchTowr Labs published a proof-of-concept exploit code in February.

The third issue added to the KeV catalog is a directory traversal vulnerability, tracked as CVE-2017-12637, in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5. Remote attackers can exploit the flaw to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by April 9, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)