cbcvebase.
CVE-2014-2849
published 2014-04-11

CVE-2014-2849: The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a…

PriorityP265high8.5CVSS 2.0
AVNACLAuSCNICAC
EXPLOIT
EPSS
60.93%
99.0th percentile
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request.

Affected

78 ranges· showing 25
VendorProductVersion rangeFixed in
sophosweb_appliance_firmware<= 3.8.1.1
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?c=change_password
commandecho #{pay}|base64 --decode|sh
port443
  • Monitor POST requests to /index.php?c=change_password containing an 'admins' parameter with a JSON payload overriding the admin password hash — this is the mass assignment exploitation vector.
  • Detect POST requests to /index.php?c=netinterface where the 'address' field contains backtick characters or shell metacharacters, indicating command injection in the static network interface configuration.
  • Look for the static password 'notpassword' (salt used in exploit) appearing in authentication attempts to the admin account on the Sophos Web Appliance login endpoint.
  • Detect the 'admins' POST parameter containing JSON with 'default_admin' id and a crafted password hash field — this is the specific payload used to overwrite the admin credentials.
  • Alert on base64-encoded payloads piped to 'base64 --decode|sh' appearing in HTTP POST body fields (e.g., 'address') on the Sophos Web Appliance management interface.
  • ·The exploit targets Sophos Web Protection Appliance version 3.8.1.1 specifically; the vulnerability affects versions before 3.8.2.
  • ·Exploitation requires an initial valid (non-admin) authenticated session; the attacker must supply a working USERNAME and PASSWORD to begin the attack chain.
  • ·A side effect of the exploit is deletion of all non-admin user accounts on the appliance, which may serve as a forensic indicator of compromise.
  • ·The exploit uses SSL (HTTPS on port 443) by default; detection rules must inspect TLS-decrypted traffic to catch the attack.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.