cbcvebase.
CVE-2014-8423
published 2014-11-28

CVE-2014-8423: Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.48%
99.1th percentile
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
arrisvap2500_firmware<= 08.41

Detection & IOCsextracted from sources · hover to see the quote

path/admin.conf
path/tools_command.php
cookiep=<md5(username)>
commandcmb_header=&txt_command=whoami
commandcmb_header=&txt_command=rm /mnt/jffs2/telnet-disabled; sh /etc/init.d/S42inetd start
path/mnt/jffs2/telnet-disabled
  • Detect unauthenticated GET requests to /admin.conf, which leaks valid usernames from the device management portal.
  • Detect POST requests to /tools_command.php with a Cookie header of the form 'p=<32-char hex string>' (MD5 of username) — this is the authentication bypass mechanism.
  • Alert on POST body parameters containing 'txt_command=' sent to /tools_command.php, indicating OS command injection attempts.
  • Monitor for telnet being re-enabled on the device: look for POST to /tools_command.php with body containing 'telnet-disabled' or 'S42inetd'.
  • ·The authentication bypass only works if at least one valid username exists on the device; the exploit enumerates usernames from /admin.conf before attempting command execution.
  • ·The vulnerability affects ARRIS VAP2500 devices running firmware versions prior to FW08.41; patched devices should not be exploitable via this vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.