CVE-2014-8387
published 2014-11-20CVE-2014-8387: cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in…
PriorityP265critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
23.81%
97.5th percentile
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | eki-6340_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /cgi/ping.cgi containing shell metacharacters (e.g., ';', '|', '`') in the 'pinghost' parameter, which indicates command injection attempts. ↗
- →Alert on HTTP authentication attempts to /cgi/ping.cgi or /cgi/utility.cgi using the default guest credentials (username: 'user', password: 'user'), which are the default credentials enabling exploitation. ↗
- →Detect GET/POST requests to /cgi/ping.cgi where the 'pinghost' parameter contains URL-encoded shell command separators such as '%3B' (;) or '%7C' (|) followed by OS commands. ↗
- →Flag access to /cgi/ping.cgi by the 'guest' (user) account, as the webserver default config explicitly grants guest access to this vulnerable endpoint. ↗
- ·The vulnerable CGI endpoint /cgi/ping.cgi is accessible to the low-privileged 'guest' user by default due to the 'guest_allow' directive in fshttpd.conf, meaning exploitation does not require admin credentials. ↗
- ·Default credentials for the guest account are username 'user' and password 'user'; these are rarely changed, significantly lowering the bar for exploitation. ↗
- ·The vendor confirmed they will not patch this vulnerability as the EKI-6340 device is being discontinued; no firmware fix is available. ↗
- ·The default admin credentials are also 'admin'/'admin' per the fshttpd.conf configuration, compounding the risk of full administrative compromise. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2014/Nov/58http://www.coresecurity.com/advisories/advantech-eki-6340-command-injectionhttp://www.securityfocus.com/archive/1/534021/100/0/threadedhttp://www.securityfocus.com/bid/71192http://seclists.org/fulldisclosure/2014/Nov/58http://www.coresecurity.com/advisories/advantech-eki-6340-command-injectionhttp://www.securityfocus.com/archive/1/534021/100/0/threadedhttp://www.securityfocus.com/bid/71192
2014-11-20
Published