cbcvebase.
CVE-2014-0659
published 2014-01-12

CVE-2014-0659: The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router…

PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.83%
99.4th percentile
The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router with firmware through 2.0.3.2 allow remote attackers to read credential and configuration data, and execute arbitrary commands, via requests to the test interface on TCP port 32764, aka Bug IDs CSCum37566, CSCum43693, CSCum43700, and CSCum43685.

Affected

14 ranges
VendorProductVersion rangeFixed in
ciscorvs4000_firmware<= 2.0.3.2
ciscorvs4000_firmware
ciscorvs4000_firmware
ciscorvs4000_firmware
ciscorvs4000_firmware
ciscosmall_business_devices
ciscowap4410n_firmware<= 2.0.6.1
ciscowap4410n_firmware
ciscowap4410n_firmware
ciscowap4410n_firmware
ciscowrvs4400n_firmware
ciscowrvs4400n_firmware
ciscowrvs4400n_firmware
ciscowrvs4400n_firmware

Detection & IOCsextracted from sources · hover to see the quote

portTCP/32764
commandOpt::RPORT(32764)
bytes
0x53634d4d (ScMM) - Little Endian backdoor magic bytes
bytes
0x4d4d6353 (MMcS) - Big Endian backdoor magic bytes
bytes
0x53634d4d, 0x07, cmd_length - backdoor command execution struct (LE)
  • Detect inbound TCP connections to port 32764 on network devices (WAP4410N, WRVS4400N, RVS4000); any traffic to this port is suspicious and indicative of backdoor access attempts.
  • Detect TCP payloads beginning with the magic bytes 'MMcS' (Big Endian) or 'ScMM' (Little Endian) on port 32764, which are the SerComm backdoor handshake signatures.
  • Detect TCP payloads on port 32764 containing the 12-byte command structure [0x53634d4d][0x07][cmd_length] followed by arbitrary command text, indicating remote command execution attempts via the SerComm backdoor.
  • Use the Metasploit auxiliary scanner module 'scanner/misc/sercomm_backdoor_scanner' to identify vulnerable SerComm-based devices on the network.
  • ·The backdoor test interface listens on TCP port 32764 and is present in specific firmware versions only; patched firmware completely removes the interface. Verify firmware versions before assuming exposure: WAP4410N ≤2.0.6.1, WRVS4400N 1.x ≤1.1.13 / 2.x ≤2.0.2.1, RVS4000 ≤2.0.3.2.
  • ·A secondary vulnerability was introduced in the patch itself; Cisco later confirmed the interface was completely removed in subsequent firmware. Devices running the initial 'fix' firmware may still be vulnerable via a different attack path.
  • ·The backdoor is present in SerComm OEM firmware used across multiple vendors (NetGear, Linksys, Honeywell, Cisco); detection should not be limited to Cisco-branded devices alone.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.