← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:121479 · Disclosed 2019-01-30

web

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is like finding the janitor’s key cabinet unlocked, but only in buildings someone misconfigured first

Tenable plugin 121479 is not a product-version bug so much as a *live exposure check*: the scanner was able to request web.config over HTTP and determined the server might return configuration data instead of blocking it. On ASP.NET / IIS stacks, web.config can contain sensitive material such as connectionStrings, appSettings, module settings, and occasionally plaintext or decryptable secrets. Tenable published the plugin on 2019-01-30 and scores it CVSS 5.3 / Medium with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

In practice, vendor *Medium* is a little generous for fleet-wide prioritization because modern IIS normally treats web.config as a protected hidden segment, so reachable exposure usually implies a local app/server misconfiguration, a reverse-proxy edge case, or a nonstandard file-serving path. The finding still matters on any host where it is confirmed, because the next step can be credential theft and pivoting, but the reachable population is narrow and the direct impact is read-only unless the leaked config contains reusable secrets.

"Real issue, but mostly a misconfiguration trapdoor—not a broad patch emergency"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Probe the site with curl or Burp

The attacker sends a direct GET request for /web.config or variant paths through a browser, curl, Burp Suite, or ffuf-style content discovery. This is trivial and unauthenticated if the web app is externally reachable.
Conditions required:
  • The application must be reachable over HTTP(S)
  • The attacker must know or guess the app root path
Where this breaks in practice:
  • Most IIS deployments deny requests to web.config by default
  • WAFs, reverse proxies, or path normalization often block obvious probes
Detection/coverage: Good coverage from web scanners and DAST tools; proxy, WAF, and IIS logs can show direct requests to web.config.
STEP 02

Bypass missing or broken request filtering

The exploit only succeeds if request filtering, hidden segments, extension handling, or upstream routing is misconfigured so the file is served as content. That turns a normally blocked control plane file into a downloadable document.
Conditions required:
  • IIS hidden-segment protection or equivalent control is absent, bypassed, or broken
  • The file is present in the served path
Where this breaks in practice:
  • Default IIS behavior is defensive here
  • Some findings are false positives when the response is an error wrapper or sanitized XML fragment
Detection/coverage: Confirm by reproducing the exact HTTP response body and status code; a true positive returns configuration XML or sensitive values, not a generic error page.
STEP 03

Mine the file for reusable secrets

If the file is disclosed, the attacker parses XML for connectionStrings, service credentials, machine keys, SMTP credentials, API endpoints, or environment-specific details. Burp, simple XPath parsing, or grep is enough; no weaponized exploit framework is needed.
Conditions required:
  • Sensitive values must actually be stored in web.config
  • Leaked values must be valid and not separately protected
Where this breaks in practice:
  • Many shops encrypt sensitive config sections
  • Some modern apps keep secrets in vaults, environment variables, or managed identities instead
Detection/coverage: No network signature beyond the original GET; impact validation usually requires secure review of the returned content.
STEP 04

Pivot with leaked credentials or application insight

The real damage comes after disclosure: the attacker reuses DB credentials, machine keys, SMTP creds, or internal URLs to move deeper into the environment. At that point this becomes an identity and architecture exposure issue rather than a pure web read-only bug.
Conditions required:
  • The returned config contains live credentials or signing material
  • Those credentials are accepted by downstream systems
Where this breaks in practice:
  • Credential rotation, least privilege, network segmentation, and MFA can contain the blast radius
  • Leaked values may be stale or scoped to noncritical services
Detection/coverage: Downstream detections shift to EDR, DB auth logs, IAM logs, SMTP logs, and unusual application authentication events.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo CVE is attached to this Tenable check, and I found no authoritative evidence of active exploitation campaigns tied to this specific issue class.
KEV statusNot KEV-listed / not applicable. CISA KEV tracks named CVEs; this plugin is a misconfiguration-style exposure check rather than a mapped CVE.
PoC availabilityTrivial PoC: a plain GET /web.config with curl, Burp Suite, or any web scanner. No notable named exploit repo is required.
EPSSN/A because EPSS applies to CVEs and this finding has no mapped CVE.
CVSS baselineTenable scores it 5.3 / Medium with CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, which models anonymous low-complexity confidentiality loss but ignores how rarely default IIS exposes web.config.
Affected scopePotentially any ASP.NET / IIS-hosted application where web.config is web-accessible because of request-filtering, routing, proxy, or static-file misconfiguration. There is no vendor version range to patch.
Fixed stateThere is no patched version. The secure state is configuration-based: IIS request filtering / hidden segments block access, and sensitive config sections should be encrypted or moved out of web-reachable paths.
Exposure populationReal-world reachable population is likely small because Microsoft documents hiddenSegments and request filtering as standard controls, and IIS commonly blocks requests to web.config by default.
Detection qualityDiscovery coverage is high because this is easy to scan remotely, but validation quality varies: confirm the exact response body to separate true disclosure from error-page noise.
Disclosure timelineTenable plugin published 2019-01-30, updated 2020-04-27. This is longstanding defensive hygiene, not a newly disclosed software flaw.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.6/10)

The decisive factor is reachability friction: a successful disclosure usually means the site is already misconfigured away from normal IIS protections, so the exposed population is much smaller than the CVSS baseline suggests. Impact can rise fast if secrets are present, but the base condition is still a narrow configuration failure rather than a mass-exploitable product bug.

HIGH This is a misconfiguration/exposure finding rather than a versioned patchable CVE
MEDIUM A generic fleet-wide LOW rating is appropriate absent proof that secrets were actually exposed

Why this verdict

  • Downgrade for default protection: IIS commonly blocks web.config through request filtering / hidden segments, so successful exploitation presumes nondefault server or routing behavior.
  • Downgrade for exposure population: this is not a broadly versioned software flaw; it only exists on the subset of apps where the file is actually web-reachable.
  • Keep it above IGNORE: if the scanner truly retrieved the file, a no-auth remote attacker may immediately harvest credentials, connection strings, or machine keys and pivot.

Why not higher?

There is no evidence here of active exploitation, no KEV entry, and no broad one-to-many version defect requiring emergency fleet patching. The attacker must hit a host that is both externally reachable and locally misconfigured to serve a file IIS usually protects.

Why not lower?

This is not harmless noise if confirmed. A single exposed web.config can reveal secrets that convert a read-only bug into database access, tenant compromise, or lateral movement, so it deserves remediation rather than documentation-only treatment.

05 · Compensating Control

What to do — in priority order.

  1. Block direct access to web.config — Enforce IIS request filtering / hidden segments and verify upstream proxies, CDN rules, and static-file handlers do not override that behavior. For a LOW verdict there is no SLA-backed mitigation deadline, but this is simple hardening and should be folded into normal backlog hygiene promptly.
  2. Review returned content for secrets — If Tenable or manual testing confirms disclosure, inspect the exposed file for connectionStrings, API keys, SMTP creds, machine keys, and internal URLs so you know whether this is merely metadata leakage or a credential incident. For LOW, there is no mitigation SLA, but triage the secret exposure before closing the ticket.
  3. Encrypt or externalize sensitive config — Use protected configuration, a secrets vault, or managed identity patterns so that even accidental file disclosure yields little reusable material. This reduces blast radius permanently and should be handled in normal remediation work for LOW findings.
  4. Hunt for direct requests in logs — Search IIS, reverse proxy, and WAF logs for GET /web.config and encoded variants to identify whether anyone probed the exposure before remediation. This is low-cost verification and helps decide whether credential rotation is warranted.
What doesn't work
  • Relying on HTTPS alone does not help; TLS protects transit, not the fact that the server is willingly serving a sensitive file.
  • Treating this as a patch-only problem does not work because there is usually no vendor patch or fixed version to deploy.
  • Assuming WAF coverage is sufficient is weak; if the origin or proxy path serves the file on a normal request, not every deployment will catch every path variant.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or directly on the IIS host against the exact application URL that Nessus flagged. Invoke it with powershell -ExecutionPolicy Bypass -File .\check-webconfig.ps1 -Url https://app.example.com/; no admin rights are required because this validates the issue remotely by HTTP response.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
param(
    [Parameter(Mandatory=$true)]
    [string]$Url
)

# check-webconfig.ps1
# Purpose: Test whether /web.config is remotely accessible.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$State,
        [int]$Code,
        [string]$Detail
    )
    Write-Output ($State + ': ' + $Detail)
    exit $Code
}

try {
    if (-not $Url.StartsWith('http://') -and -not $Url.StartsWith('https://')) {
        Write-Result 'UNKNOWN' 2 'URL must start with http:// or https://'
    }

    $base = $Url.TrimEnd('/')
    $target = $base + '/web.config'

    $response = Invoke-WebRequest -Uri $target -Method GET -MaximumRedirection 5 -UseBasicParsing -TimeoutSec 20 -Headers @{
        'User-Agent' = 'noisgate-webconfig-check/1.0'
        'Accept' = '*/*'
    } -SkipHttpErrorCheck

    $status = [int]$response.StatusCode
    $body = ''
    if ($null -ne $response.Content) { $body = [string]$response.Content }
    $bodySample = $body.Substring(0, [Math]::Min($body.Length, 400))

    $looksLikeConfig = $false
    if ($body -match '<configuration[\s>]' -or
        $body -match '<appSettings>' -or
        $body -match '<connectionStrings>' -or
        $body -match '<system\.web' -or
        $body -match '<system\.webServer') {
        $looksLikeConfig = $true
    }

    if ($status -eq 200 -and $looksLikeConfig) {
        Write-Result 'VULNERABLE' 1 ("HTTP 200 and response looks like web.config from $target")
    }

    if ($status -in 401,403,404,4048,500) {
        Write-Result 'PATCHED' 0 ("Received blocking/non-content status $status from $target")
    }

    if ($status -eq 200 -and -not $looksLikeConfig) {
        Write-Result 'UNKNOWN' 2 ("HTTP 200 but content does not resemble web.config. Sample: $bodySample")
    }

    Write-Result 'UNKNOWN' 2 ("Unexpected HTTP status $status from $target")
}
catch {
    Write-Result 'UNKNOWN' 2 $_.Exception.Message
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat this as confirmed web misconfiguration, not a fleet-wide patch fire. Reproduce the exact Tenable finding on every flagged URL, fix request-filtering / routing so web.config is not web-readable, and review any exposed file for live secrets; because this is LOW, there is no noisgate mitigation SLA and noisgate remediation SLA is backlog hygiene, but if any returned config contains valid credentials or machine keys, escalate that individual asset immediately as an incident and rotate the affected secrets the same day.

Sources

  1. Tenable Plugin 121479
  2. Microsoft Learn - Hidden Segments
  3. Microsoft Learn - Configure Request Filtering in IIS
  4. Microsoft Learn - web.config file for ASP.NET Core on IIS
  5. Microsoft Learn - Protecting Connection Strings and Other Configuration Information
  6. OWASP WSTG - Review Old Backup and Unreferenced Files for Sensitive Information
  7. OWASP WSTG - Test File Extensions Handling for Sensitive Information
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.