Default Password Vulnerability in Apache Axis2 for SAP BusinessObjects and CA ARCserve
CVE-2010-0219

Currently unrated

Key Information:

Vendor
Apache
Status
Axis2
Businessobjects
Vendor
CVE Published:
18 October 2010

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 93%

Summary

The Apache Axis2 framework, utilized in products such as SAP BusinessObjects Enterprise XI 3.2 and CA ARCserve D2D r15, exposes a security flaw with its admin account, which is pre-configured with the insecure default password 'axis2'. This vulnerability allows remote attackers to gain unauthorized access and potentially execute arbitrary code by uploading crafted web services, posing significant risks to the integrity and availability of the affected systems. Organizations using these products must take immediate steps to modify default credentials to safeguard against potential exploitation.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2010-0219
Created by Rapid7

References

http://secunia.com/advisories/41799
third-party-advisoryx_refsource_SECUNIA
https://kb.juniper.net/KB27373
x_refsource_CONFIRM
http://retrogod.altervista.org/9sg_ca_d2d.html
x_refsource_MISC

EPSS Score

93% chance of being exploited in the next 30 days.

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.