cbcvebase.
CVE-2014-2595
published 2020-02-12

CVE-2014-2595: Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.87%
96.7th percentile
Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.

Affected

1 ranges
VendorProductVersion rangeFixed in
barracudaweb_application_firewall

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest
path/cgi-mod/index.cgi
  • Detect authentication bypass attempts by monitoring HTTP requests to /cgi-mod/index.cgi containing a large/permanent 'et' (epoch time) parameter value such as '99999999996', which represents a non-expiring authentication token passed via query string.
  • Flag HTTP requests to /cgi-mod/index.cgi where the query string contains both 'et=99999999996' (or similarly large epoch values) and 'user=guest', indicating exploitation of the permanent token bypass.
  • Monitor for the known guest-account password hash '5a2fd48b65c5d80881eeb0f738bcc6dc' appearing in query strings to /cgi-mod/index.cgi, which is characteristic of this exploit.
  • ·The exploit URL uses 'www.example.com' as a placeholder; the actual target host will vary. Detection rules should match on the path and query parameter patterns rather than the hostname.
  • ·The vulnerability is confirmed on version 7.8.1.013 but other versions may also be affected, so version-scoped detection may produce false negatives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.