CVE-2014-1635
published 2014-11-12CVE-2014-1635: Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via…
PriorityP179critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
67.49%
99.2th percentile
Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via a long string in the jump parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | n750_wireless_router | — | — |
| belkin | n750_wireless_router_firmware | <= 1.10.16n | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"jump="; startswith; isdataat:900,relative; content:"GO=&"; fast_pattern; content:"|3b|"; distance:0; reference:cve,2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2061767; rev:1; metadata:attack_target Server, created_at 2025_04_21, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; startswith; isdataat:900,relative; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:6; metadata:created_at 2014_11_11, confidence High, signature_severity Major, updated_at 2025_04_11;)
- →The Snort/Suricata rules key on: POST method, URI exactly '/login.cgi', request body starting with 'GO=&jump=' or 'jump=', body data-at offset ≥ 900 bytes relative to that content match, and presence of byte 0x3b (semicolon) further into the body.
- →Exploitation is unauthenticated and targets the guest network web interface; no session cookie or credentials are required, so any POST to /login.cgi with an abnormally long 'jump' value from an unauthenticated source is suspicious. ↗
- ·The Snort rule sid:2061767 uses 'urilen:10' which matches only URIs of exactly 10 characters — '/login.cgi' is exactly 10 characters; ensure your IDS/IPS does not strip the leading slash or normalize the URI before length evaluation, or the rule will not fire.
- ·The exploit was tested against firmware version 1.10.16m; the NVD advisory states the vulnerability is fixed in F9K1103_WW_1.10.17m — detections should be scoped to devices running firmware versions prior to 1.10.17m. ↗
- ·The Metasploit module notes it was tested only in an emulated environment; real-device exploitation reliability may differ. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qmcw-mq2c-wp27: Buffer overflow in login
ghsa_unreviewed·2022-05-17
CVE-2014-1635 [HIGH] CWE-119 GHSA-qmcw-mq2c-wp27: Buffer overflow in login
Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via a long string in the jump parameter.
VulnCheck
belkin n750_wireless_router_firmware Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2014·CVSS 10.0
CVE-2014-1635 [CRITICAL] belkin n750_wireless_router_firmware Improper Restriction of Operations within the Bounds of a Memory Buffer
belkin n750_wireless_router_firmware Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via a long string in the jump parameter.
Affected: belkin n750_wireless_router_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/25/j/rondodox.html; https://beelzebub.ai/blog/rondo-dox-v2/
Exploit PoC: https://vulncheck.com/xdb/f3d43fc6cde3
Suricata
ET EXPLOIT Belkin N750 Buffer Overflow Attempt
suricata·2025-04-21
CVE-2014-1635 ET EXPLOIT Belkin N750 Buffer Overflow Attempt
ET EXPLOIT Belkin N750 Buffer Overflow Attempt
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"jump="; startswith; isdataat:900,relative; content:"GO=&"; fast_pattern; content:"|3b|"; distance:0; reference:cve,2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2061767; rev:1; metadata:attack_target Server, created_at 2025_04_21, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_nam
Suricata
ET EXPLOIT Belkin N750 Buffer Overflow Attempt
suricata·2014-11-11
CVE-2014-1635 ET EXPLOIT Belkin N750 Buffer Overflow Attempt
ET EXPLOIT Belkin N750 Buffer Overflow Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; startswith; isdataat:900,relative; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:6; metadata:created_at 2014_11_11, confidence High, signature_severity Major, updated_at 2025_04_11;)
Exploit-DB
Belkin N750 - 'jump?login' Remote Buffer Overflow
exploitdb·2014-11-06
CVE-2014-1635 Belkin N750 - 'jump?login' Remote Buffer Overflow
Belkin N750 - 'jump?login' Remote Buffer Overflow
---
"""
Source: https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/
A vulnerability in the guest network web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Gigabit Router with firmware F9K1103_WW_1.10.16m, allows an unauthenticated remote attacker to gain root access to the operating system of the affected device. The guest network functionality is default functionality and is delivered over an unprotected wifi network.
Successful exploitation of the vulnerability enables the attacker to gain full control of the affected router.
"""
#!/usr/bin/python
#Title : Belkin n750 buffer overflow in jump login parameter
#Date : 28 Jan 2014
#Author : Discovered and developed by Marco Vaz
#Tes
Metasploit
Belkin Play N750 login.cgi Buffer Overflow
metasploit
Belkin Play N750 login.cgi Buffer Overflow
Belkin Play N750 login.cgi Buffer Overflow
This module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing remote unauthenticated attackers to execute arbitrary code. This module was tested in an emulated environment, using the version 1.10.16.m of the firmware.
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bugzilla
CVE-2014-1576 Mozilla: Buffer overflow during CSS manipulation (MFSA 2014-75)
bugzilla·2014-10-14·CVSS 7.5
CVE-2014-1576 [HIGH] CVE-2014-1576 Mozilla: Buffer overflow during CSS manipulation (MFSA 2014-75)
CVE-2014-1576 Mozilla: Buffer overflow during CSS manipulation (MFSA 2014-75)
Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered a buffer overflow when making capitalization style changes during CSS parsing. This can cause a crash that is potentially exploitable.
External Reference:
http://www.mozilla.org/security/announce/2014/mfsa2014-75.html
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Atte Kettunen as the original reporter.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
Via RHSA-2014:1635 https://rhn.redhat.com/errata/RHSA-2014-1635.html
http://osvdb.org/show/osvdb/114345http://www.belkin.com/us/support-article?articleNum=4831http://www.exploit-db.com/exploits/35184http://www.securityfocus.com/bid/70977http://www.securitytracker.com/id/1031210https://labs.integrity.pt/advisories/cve-2014-1635/https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/http://osvdb.org/show/osvdb/114345http://www.belkin.com/us/support-article?articleNum=4831http://www.exploit-db.com/exploits/35184http://www.securityfocus.com/bid/70977http://www.securitytracker.com/id/1031210https://labs.integrity.pt/advisories/cve-2014-1635/https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/
2014-11-12
Published
Exploited in the wild