cbcvebase.
CVE-2014-2850
published 2014-04-11

CVE-2014-2850: The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via…

PriorityP270high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
57.57%
99.0th percentile
The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter.

Affected

78 ranges· showing 25
VendorProductVersion rangeFixed in
sophosweb_appliance_firmware<= 3.8.1.1
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware
sophosweb_appliance_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?c=netinterface
command192.16`echo #{pay}|base64 --decode|sh`8.1.16
  • Monitor POST requests to /index.php?c=netinterface containing shell metacharacters (backticks, pipes, semicolons) in the 'address' parameter, which is the injection point for command execution.
  • Detect the mass assignment abuse pattern: a POST to /index.php?c=change_password that includes an 'admins' JSON field containing 'default_admin' — this is used to overwrite the admin password hash as a non-privileged user.
  • Alert on the exploit's characteristic payload delivery pattern in the 'address' field: a base64-encoded payload decoded and piped to sh via backtick shell injection (e.g., `echo <base64>|base64 --decode|sh`).
  • Look for sequential authentication flows targeting the Sophos WPA: initial GET /index.php to harvest STYLE key, followed by POST to /index.php?c=login, then POST to /index.php?c=change_password with an 'admins' parameter, then re-login as 'admin' with password 'notpassword', then POST to /index.php?c=netinterface.
  • Flag login attempts to the Sophos WPA using the static credential 'admin'/'notpassword', which is the hardcoded password set by the Metasploit exploit module during the privilege escalation chain.
  • ·The exploit targets Sophos Web Protection Appliance version 3.8.1.1 and earlier (fixed in 3.8.2). The vulnerable endpoint is only reachable over HTTPS (port 443) and requires prior authentication, meaning exploitation requires valid credentials or successful chaining with the mass assignment vulnerability.
  • ·The exploit's mass assignment step (changing admin password hash) will delete all other user accounts on the appliance as a side effect, which may be a detectable artifact of exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.