cbcvebase.
CVE-2014-8389
published 2017-12-28

CVE-2014-8389: cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.49%
98.8th percentile
cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests.

Affected

5 ranges
VendorProductVersion rangeFixed in
airlivebu-2015_firmware
airlivebu-3026_firmware
airlivemd-3025_firmware
airlivepoe-200cam_v2_firmware
airlivewl-2000cam_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mft/wireless_mft.cgi
path/cgi-bin/mft/wireless_mft
commandap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials
otherusername: manufacture / password: erutcafunam
pathcgi-bin/mft/wireless_mft.cgi
  • Detect HTTP requests to /cgi-bin/mft/wireless_mft.cgi or /cgi-bin/mft/wireless_mft containing a semicolon (;) in the 'ap' parameter, indicating OS command injection attempts.
  • Monitor for HTTP Basic Auth attempts using the hard-coded credentials 'manufacture'/'erutcafunam' against AirLive camera web interfaces (Boa web server).
  • Alert on HTTP requests to /cgi-bin/mft/wireless_mft* containing shell metacharacters (e.g., ';', '%3B') in query parameters, particularly the 'ap' parameter.
  • Detect HTTP GET requests for /credentials on AirLive camera web roots, which may indicate an attacker retrieving exfiltrated Base64-encoded credential files after exploitation.
  • Monitor for access to /var/www/secret.passwd on AirLive devices, as this file contains web server user credentials targeted by the exploit.
  • The CGI endpoint cgi_test.cgi (for MD-3025, BU-3026, BU-2015) is accessible without authentication by default; detect unauthenticated requests to this path with injection patterns in write_mac, write_pid, write_msn, write_tan, or write_hdv parameters.
  • ·The wireless_mft.cgi command injection (CVE-2014-8389) requires authentication using hard-coded credentials ('manufacture'/'erutcafunam'); exploitation is only possible if the attacker knows or discovers these credentials.
  • ·The cgi_test.cgi injection (CVE-2015-2279) is unauthenticated by default; HTTPS enforcement (non-default) is the only configuration that restricts access.
  • ·Injection via cgi_test.cgi parameters is length-constrained due to strlen checks (e.g., write_pid checks for length 9), limiting but not preventing command injection.
  • ·Exfiltrated credentials from /var/www/secret.passwd are Base64-encoded; decoding them grants complete access to the device.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.