cbcvebase.
CVE-2014-2321
published 2014-03-11

CVE-2014-2321: web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set…

PriorityP182critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.26%
99.0th percentile
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.

Detection & IOCsextracted from sources · hover to see the quote

path/web_shell_cmd.gch
commandset TelnetCfg
snort
alert http any any -> any any (msg:"ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/web_shell_cmd.gch"; fast_pattern; http.request_body; content:"IF_ACTION=apply&IF_ERRORSTR=SUCC&"; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_16;)
bytes
IF_ACTION=apply&IF_ERRORSTR=SUCC&
  • HTTP GET request to /web_shell_cmd.gch returning HTTP 200 with body containing both 'please input shell command' and 'ZTE Corporation. All rights reserved' indicates a vulnerable exposed web shell endpoint.
  • Exploit traffic is sent via HTTP POST to /web_shell_cmd.gch with a request body starting with 'IF_ACTION=apply&IF_ERRORSTR=SUCC&'; detection should focus on this URI + method + body prefix combination.
  • Attackers use 'sendcmd' requests to the web shell to issue 'set TelnetCfg' commands, enabling a Telnet service with attacker-controlled credentials — monitor for Telnet service activation following HTTP POST activity to this endpoint.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.