cbcvebase.
CVE-2014-8387
published 2014-11-20

CVE-2014-8387: cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in…

PriorityP265critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
23.81%
97.5th percentile
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
advantecheki-6340_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi/ping.cgi
path/usr/webui/webroot/cgi/utility.cgi
urlhttp://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3
commandpinghost=127.0.0.1;sleep%2010
path/usr/webui/webroot/cgi/ping.cgi
filenamefshttpd.conf
  • Monitor HTTP requests to /cgi/ping.cgi containing shell metacharacters (e.g., ';', '|', '`') in the 'pinghost' parameter, which indicates command injection attempts.
  • Alert on HTTP authentication attempts to /cgi/ping.cgi or /cgi/utility.cgi using the default guest credentials (username: 'user', password: 'user'), which are the default credentials enabling exploitation.
  • Detect GET/POST requests to /cgi/ping.cgi where the 'pinghost' parameter contains URL-encoded shell command separators such as '%3B' (;) or '%7C' (|) followed by OS commands.
  • Flag access to /cgi/ping.cgi by the 'guest' (user) account, as the webserver default config explicitly grants guest access to this vulnerable endpoint.
  • ·The vulnerable CGI endpoint /cgi/ping.cgi is accessible to the low-privileged 'guest' user by default due to the 'guest_allow' directive in fshttpd.conf, meaning exploitation does not require admin credentials.
  • ·Default credentials for the guest account are username 'user' and password 'user'; these are rarely changed, significantly lowering the bar for exploitation.
  • ·The vendor confirmed they will not patch this vulnerability as the EKI-6340 device is being discontinued; no firmware fix is available.
  • ·The default admin credentials are also 'admin'/'admin' per the fshttpd.conf configuration, compounding the risk of full administrative compromise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.