cbcvebase.
CVE-2014-125121
published 2025-07-31

CVE-2014-125121: Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of…

PriorityP270critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.82%
52.5th percentile
Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.

Affected

2 ranges
VendorProductVersion rangeFixed in
array_networksvapv
array_networksvxag

Detection & IOCsextracted from sources · hover to see the quote

path/ca/bin/monitor.sh
commandbackend -c "debug monitor on"
processbackend
  • Monitor for unauthorized writes or modifications to /ca/bin/monitor.sh, which is world-writable and can be overwritten by any authenticated user.
  • Alert on execution of 'backend' binary with arguments enabling debug monitor, particularly 'backend -c "debug monitor on"', as this triggers privileged payload execution.
  • Detect inbound SSH authentication attempts using hardcoded DSA private key or default credentials on Array Networks vAPV/vxAG appliances.
  • Flag SSH logins to Array Networks appliances that result in a low-privilege shell followed shortly by execution of the backend setuid binary — this two-stage pattern is characteristic of this exploit chain.
  • ·Affected versions are specifically vAPV 8.3.2.17 and vxAG 9.2.0.34; detection and remediation efforts should be scoped to these exact versions.
  • ·The vulnerability requires two conditions to be present simultaneously: hardcoded SSH credentials (or DSA private key) AND insecure world-writable permissions on /ca/bin/monitor.sh.
  • ·The backend binary runs as setuid, meaning any user who can invoke it can trigger privileged script execution — access controls on this binary are critical.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.