Network Appliances & Devices - Security Knowledge Base

Routers, firewalls, and appliance admin interfaces hit by IoT botnets and exploit kits. 15 scanner-probed paths explained, with attacker impact and remediation for each.

Network Appliances & Devices

Routers, firewalls, and appliance admin interfaces hit by IoT botnets and exploit kits.

15 probed paths in this category.

+CSCOU+/portal.css

Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability

Risk: On a vulnerable Cisco ASA Clientless SSL VPN, attackers can read or tamper with portal customization objects to inject content into the login portal, enabling phishing or credential theft against VPN users (CVE-2014-3393).

Fix: Patch Cisco ASA to a fixed software release, disable Clientless SSL VPN if unused, and restrict WebVPN portal access; reset any customization objects that may have been altered.

boaform/admin/formLogin

Boa web-server router admin login form, targeted by IoT botnets

Risk: Indicates a Boa-server-based router/ONT admin panel; botnets brute-force or exploit default credentials here to gain administrative access and conscript the device for DDoS or traffic interception.

Fix: Change default admin credentials, disable WAN-side access to the management interface, and update the device firmware since the embedded Boa server is unmaintained and unpatched.

cgi-bin/luci

OpenWrt LuCI web-interface CGI endpoint

Risk: Identifies an OpenWrt router running the LuCI interface; unauthenticated or CVE-vulnerable LuCI versions can allow command injection or auth bypass, giving full control of the router and its traffic.

Fix: Restrict LuCI to the LAN/management interface only, keep OpenWrt firmware patched, and require strong admin credentials so the CGI endpoint is never reachable from the WAN.

cgi-bin/printenv.pl

CGI scripts

Risk: This sample CGI script prints all server environment variables, leaking internal paths, software versions, and potentially secrets, and its presence signals an outdated CGI setup vulnerable to issues like Shellshock.

Fix: Delete sample CGI scripts shipped with the web server, patch bash/CGI handlers against Shellshock, and disable CGI execution where it is not needed.

DomHB4/?mode=portfolio

DomHB4

Risk: Scanners probe this template/theme-specific path to fingerprint a particular CMS or site builder; if present and unpatched it can reveal the framework version and any associated known vulnerabilities.

Fix: Return a clean 404 for unknown paths without disclosing server or framework version, keep the underlying platform patched, and remove unused themes or demo modes.

Dora4/

Dora4

Risk: A probe for a specific application or theme directory used to fingerprint the stack; an exposed install would reveal the product and version, narrowing the attacker's exploit search.

Fix: Serve a clean 404 for nonexistent directories, disable directory listing, suppress version headers, and keep any matching software updated.

epa/scripts/win/nsepa_setup.exe

EPA

Risk: This Citrix/NetScaler Endpoint Analysis (EPA) installer path fingerprints a Citrix Gateway, a frequent target for critical auth-bypass and RCE flaws (e.g. CitrixBleed CVE-2023-4966) that leak session tokens and grant network access.

Fix: Keep Citrix Gateway/NetScaler patched to current builds, terminate active sessions after patching CitrixBleed-class bugs, and restrict management access to trusted networks.

HNAP1/

Home Network Administration Protocol endpoint, targeted by router worms and IoT botnets

Risk: A reachable HNAP endpoint exposes D-Link/Cisco router management actions; known HNAP flaws (e.g. command injection, auth bypass) let worms like Mirai-variants execute commands and enroll the device into a botnet.

Fix: Disable HNAP/remote management on the device, block the endpoint at the WAN firewall, and apply vendor firmware updates that patch HNAP command-injection vulnerabilities.

mifs/.;/services/LogService

F5 BIG-IP

Risk: This path-traversal style request targets Ivanti/MobileIron (EPMM) services, exploiting authentication-bypass flaws (such as CVE-2020-15505 / CVE-2023-35078) to reach internal APIs for unauthenticated RCE or access to enrolled mobile device data.

Fix: Patch Ivanti EPMM/MobileIron to the latest release, restrict management portal exposure behind a VPN or access gateway, and block the `/.;/` semicolon traversal pattern at the reverse proxy or WAF.

remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

Fortinet FortiGate

Risk: Exploits the FortiOS path-traversal vulnerability (CVE-2018-13379) to read the SSL VPN session database in cleartext, leaking valid usernames and passwords that let an attacker authenticate to the VPN and pivot into the internal network.

Fix: Patch FortiOS to a fixed release, then force-reset all VPN user credentials since exposed passwords may already be compromised; restrict management/SSL-VPN interfaces to trusted source IPs.

t4

T4 templating engine

Risk: If a T4 (Text Template Transformation Toolkit) processing endpoint is reachable, attacker-controlled template input can lead to server-side template injection and arbitrary code execution in the .NET host process.

Fix: Never render T4 templates from untrusted input at runtime; pre-compile templates at build time and ensure no template-processing endpoint is exposed to user requests.

Telerik.Web.UI.WebResource.axd

Telerik UI for ASP.NET AJAX web-resource handler, target of CVE-2017-9248 and CVE-2019-18935

Risk: Confirms a vulnerable Telerik UI for ASP.NET AJAX handler; CVE-2017-9248 allows decryption of the dialog key and CVE-2019-18935 enables deserialization leading to remote code execution on the web server.

Fix: Upgrade Telerik UI to a patched release, rotate the Telerik.Web.UI encryption keys, and disable the dialog handler/async-upload if unused.

tt-976.html

Trend Micro InterScan Web Security Virtual Appliance

Risk: Probing this page fingerprints a Trend Micro InterScan Web Security Virtual Appliance, which has known command-injection and auth-bypass flaws that let an attacker run commands as root and disable web-traffic filtering for the whole network.

Fix: Apply current vendor patches to the IWSVA appliance and keep its admin and proxy interfaces off the public internet, restricted to internal management subnets.

WEB-INF/jetty-env.xml

Jetty

Risk: This Jetty deployment descriptor reveals JNDI datasource definitions, including database connection strings and credentials, plus internal resource bindings, enabling direct backend database access. WEB-INF should never be served, so its exposure indicates a path-traversal or misconfiguration flaw.

Fix: Ensure the servlet container enforces the WEB-INF access restriction so its contents are never served over HTTP, and patch any path-traversal or alias misconfiguration that allows reading WEB-INF resources.

webfig/

MikroTik

Risk: The MikroTik RouterOS WebFig management interface exposes router administration; with valid or default credentials an attacker can alter routing, firewall, VPN, and DNS settings or pivot into the internal network. Several RouterOS versions have unauthenticated WebFig/Winbox CVEs leading to full device compromise.

Fix: Restrict WebFig to a management VLAN or VPN, disable the www service on WAN interfaces, change default admin credentials, and keep RouterOS updated to patch known WebFig/Winbox vulnerabilities.

← All categories