CVE-2014-2321
published 2014-03-11CVE-2014-2321: web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set…
PriorityP182critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.26%
99.0th percentile
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> any any (msg:"ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/web_shell_cmd.gch"; fast_pattern; http.request_body; content:"IF_ACTION=apply&IF_ERRORSTR=SUCC&"; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_16;)
bytes
IF_ACTION=apply&IF_ERRORSTR=SUCC&
- →HTTP GET request to /web_shell_cmd.gch returning HTTP 200 with body containing both 'please input shell command' and 'ZTE Corporation. All rights reserved' indicates a vulnerable exposed web shell endpoint.
- →Exploit traffic is sent via HTTP POST to /web_shell_cmd.gch with a request body starting with 'IF_ACTION=apply&IF_ERRORSTR=SUCC&'; detection should focus on this URI + method + body prefix combination.
- →Attackers use 'sendcmd' requests to the web shell to issue 'set TelnetCfg' commands, enabling a Telnet service with attacker-controlled credentials — monitor for Telnet service activation following HTTP POST activity to this endpoint.
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wx3r-f6q6-jhjw: web_shell_cmd
ghsa_unreviewed·2022-05-17
CVE-2014-2321 [HIGH] GHSA-wx3r-f6q6-jhjw: web_shell_cmd
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
VulnCheck
ZTE F460 and F660 Cable Modems web_shell_cmd.gch Security Bypass
vulncheck·2014·CVSS 10.0
CVE-2014-2321 [CRITICAL] ZTE F460 and F660 Cable Modems web_shell_cmd.gch Security Bypass
ZTE F460 and F660 Cable Modems web_shell_cmd.gch Security Bypass
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
Affected: ZTE f460
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/; https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cybersecurity
Suricata
ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)
suricata·2021-03-16·CVSS 10.0
CVE-2014-2321 [CRITICAL] ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)
ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)
Rule: alert http any any -> any any (msg:"ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/web_shell_cmd.gch"; fast_pattern; http.request_body; content:"IF_ACTION=apply&IF_ERRORSTR=SUCC&"; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_16;)
Nuclei
ZTE Cable Modem Web Shell
nuclei·CVSS 10.0
CVE-2014-2321 [CRITICAL] ZTE Cable Modem Web Shell
ZTE Cable Modem Web Shell
ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests to web_shell_cmd.gch, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
Template:
id: CVE-2014-2321
info:
name: ZTE Cable Modem Web Shell
author: geeknik
severity: critical
description: |
ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests to web_shell_cmd.gch, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
impact: |
Remote code execution
remediation: |
Apply the latest firmware update provided by ZTE to fix the vulnerability
reference:
- https://yosmelvin.wordpress.com/2017/09/21/f660-mo
http://www.kb.cert.org/vuls/id/600724http://www.myxzy.com/post-411.htmlhttps://community.rapid7.com/community/infosec/blog/2014/03/03/disclosure-r7-2013-18-zte-f460-and-zte-f660-webshellcmdgch-backdoorhttp://www.kb.cert.org/vuls/id/600724http://www.myxzy.com/post-411.htmlhttps://community.rapid7.com/community/infosec/blog/2014/03/03/disclosure-r7-2013-18-zte-f460-and-zte-f660-webshellcmdgch-backdoor
2014-03-11
Published
Exploited in the wild