Summary The Exagrid backup appliance at version 4.8.1.1044.P50 suffers from a directory traversal vulnerability at "http://EXAGRID_IP/monitor/data/Upgrade/" (case sensitive) which allows unauthenticated access to detailed log files. Active "support" credentials were found within these logs in Base64 encoded format. The credentials were confirmed as used to facilitate upgrades on the appliance through a series of Perl scripts. The execution of one such script dumps the encoded credentials into the log file "progress.log" within this directory. These 'support' credentials allow for administrative level access to the appliance and its data once decoded. Identification The vulnerability was identified by running the web content scanning tool 'DIRB' against the Exagrid web console. The scan identified the URL "http://EXAGRID_IP/monitor/data/Upgrade/". Browsing to the directory reveals the "progress.log" file containing Base64 encoded credentials. Impact Significant — The process was tested on multiple Exagrid systems and reliably identifies administrative 'support' credentials on appliances which were upgraded to the affected version. Mitigation The vulnerability was responsibly disclosed to Exagrid. Users should contact their support representatives for information on updates. Credentials can be reset with the assistance of support. Disclosure Timeline 7/10/2018: Vulnerability identified, Exagrid support contacted. 7/13/2018: Exagrid support confirmed the issue. 7/19/2018: Final communication from Exagrid. 5/23/2019: Disclosure to MITRE for CVE numbering. 6/4/2019: CVE ranked and published.