cbcvebase.
CVE-2014-1635
published 2014-11-12

CVE-2014-1635: Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via…

PriorityP179critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
67.49%
99.2th percentile
Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via a long string in the jump parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
belkinn750_wireless_router
belkinn750_wireless_router_firmware<= 1.10.16n

Detection & IOCsextracted from sources · hover to see the quote

path/login.cgi
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"jump="; startswith; isdataat:900,relative; content:"GO=&"; fast_pattern; content:"|3b|"; distance:0; reference:cve,2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2061767; rev:1; metadata:attack_target Server, created_at 2025_04_21, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; startswith; isdataat:900,relative; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:6; metadata:created_at 2014_11_11, confidence High, signature_severity Major, updated_at 2025_04_11;)
  • The Snort/Suricata rules key on: POST method, URI exactly '/login.cgi', request body starting with 'GO=&jump=' or 'jump=', body data-at offset ≥ 900 bytes relative to that content match, and presence of byte 0x3b (semicolon) further into the body.
  • Exploitation is unauthenticated and targets the guest network web interface; no session cookie or credentials are required, so any POST to /login.cgi with an abnormally long 'jump' value from an unauthenticated source is suspicious.
  • ·The Snort rule sid:2061767 uses 'urilen:10' which matches only URIs of exactly 10 characters — '/login.cgi' is exactly 10 characters; ensure your IDS/IPS does not strip the leading slash or normalize the URI before length evaluation, or the rule will not fire.
  • ·The exploit was tested against firmware version 1.10.16m; the NVD advisory states the vulnerability is fixed in F9K1103_WW_1.10.17m — detections should be scoped to devices running firmware versions prior to 1.10.17m.
  • ·The Metasploit module notes it was tested only in an emulated environment; real-device exploitation reliability may differ.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.