CVE-2014-125121
published 2025-07-31CVE-2014-125121: Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of…
PriorityP270critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.82%
52.5th percentile
Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges.
Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| array_networks | vapv | — | — |
| array_networks | vxag | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthorized writes or modifications to /ca/bin/monitor.sh, which is world-writable and can be overwritten by any authenticated user. ↗
- →Alert on execution of 'backend' binary with arguments enabling debug monitor, particularly 'backend -c "debug monitor on"', as this triggers privileged payload execution. ↗
- →Detect inbound SSH authentication attempts using hardcoded DSA private key or default credentials on Array Networks vAPV/vxAG appliances. ↗
- →Flag SSH logins to Array Networks appliances that result in a low-privilege shell followed shortly by execution of the backend setuid binary — this two-stage pattern is characteristic of this exploit chain. ↗
- ·Affected versions are specifically vAPV 8.3.2.17 and vxAG 9.2.0.34; detection and remediation efforts should be scoped to these exact versions. ↗
- ·The vulnerability requires two conditions to be present simultaneously: hardcoded SSH credentials (or DSA private key) AND insecure world-writable permissions on /ca/bin/monitor.sh. ↗
- ·The backend binary runs as setuid, meaning any user who can invoke it can trigger privileged script execution — access controls on this binary are critical. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://packetstorm.news/files/id/125761https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rbhttps://www.exploit-db.com/exploits/32440https://www.vulncheck.com/advisories/array-networks-vapv-vxag-default-credential-privilege-escalation
2025-07-31
Published