In case you’re utilizing the mainstream rConfig organize design the executives utility to secure and deal with your system gadgets, here we have a significant and earnest admonition for you.

A cybersecurity scientist has as of late distributed subtleties and verification of-idea abuses for two unpatched, basic remote code execution vulnerabilities in the rConfig utility, in any event one of which could permit unauthenticated remote assailants to bargain focused on servers, and associated organize gadgets.


Written in local PHP, rConfig is a free, open source organize gadget arrangement the board utility that permits system architects to design and take visit setup depictions of their system gadgets.

As per the task site, rConfig is being utilized to oversee more than 3.3 million system gadgets, including switches, switches, firewalls, load-balancer, WAN streamlining agents.

What’s progressively troubling? The two vulnerabilities influence all forms of rConfig, including the most recent rConfig rendition 3.9.2, with no security fix accessible at the hour of composing.

Found by Mohammad Askar, each defect dwells in a different document of rConfig—one, followed as CVE-2019-16662, can be misused remotely without requiring pre-verification, while the other, followed as CVE-2019-16663, requires validation before its abuse.


Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
Authenticated RCE (CVE-2019-16663) in search.crud.php

In the two cases, to abuse the blemish, an assailant should simply get to the helpless records with a deformed GET parameter intended to execute malevolent OS directions on the focused on server.

As appeared in the screen captures shared by the specialist, the PoC adventures enable assailants to get a remote shell from the unfortunate casualty’s server, empowering them to run any discretionary order on the undermined server with indistinguishable benefits from of the web application.

In the mean time, another free security specialist dissected the blemishes and found that the second RCE weakness could likewise be misused without requiring validation in rConfig adaptations preceding variant 3.6.0.

“In the wake of checking on rConfig’s source code, in any case, I discovered that rConfig 3.9.2 has those vulnerabilities as well as all variants of it. Besides, CVE-2019-16663, the post-auth RCE can be abused without verification for all adaptations before rConfig 3.6.0,” said the specialist, who passes by online false name Sudoka.

Significant Update

For reasons unknown, not all rCongif establishments are likely defenseless against the first pre-verified RCE helplessness, as detailed at first, SANS security specialists Johannes Ullrich disclosed to The Hacker News.

In the wake of breaking down the zero-day vulnerabilities, Ullrich found that the influenced record related with the principal weakness has a place with an index required during the establishment of rConfig on a server, which is generally proposed to be expelled post-establishment.

On its site, as a major aspect of a rundown of basic undertakings clients need to pursue post-establishment, rConfig likewise prescribes clients to “erase the introduce catalog after the establishment is finished.”

This implies, clients who erased the rConfig establishment index as prescribed are not helpless against the first RCE defect, yet could in any case be in danger because of the second RCE blemish of comparable effect, which additionally doesn’t require validation for more seasoned forms as clarified previously.

On the off chance that you are utilizing rConfig, you are prescribed to briefly expel the application from your server or utilize elective arrangements until security patches show up.

Have a remark about this article? Remark beneath or share it with us on Facebook, Twitter or our LinkedIn Group.

Leave a Reply

Your email address will not be published. Required fields are marked *