cbcvebase.
CVE-2014-8424
published 2014-11-28

CVE-2014-8424: ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

PriorityP273high7.8CVSS 2.0
AVNACLAuNCCINAN
EXPLOIT
EPSS
59.62%
99.0th percentile
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
arrisvap2500_firmware<= 08.41

Detection & IOCsextracted from sources · hover to see the quote

path/admin.conf
path/tools_command.php
cookiep=<md5(username)>
commandtxt_command=whoami
commandtxt_command=rm /mnt/jffs2/telnet-disabled; sh /etc/init.d/S42inetd start
path/mnt/jffs2/telnet-disabled
  • Detect unauthenticated GET requests to /admin.conf, which exposes user account listings on vulnerable ARRIS VAP2500 devices.
  • Detect POST requests to /tools_command.php containing the parameter 'txt_command=' — this is the OS command injection vector on the VAP2500 management portal.
  • Detect HTTP requests to /tools_command.php where the Cookie header contains 'p=' followed by a 32-character hex string (MD5 hash), which is the authentication bypass mechanism.
  • Alert on POST body containing 'cmb_header=&txt_command=' to /tools_command.php as a strong indicator of active exploitation.
  • Monitor for telnet being re-enabled on the device: look for removal of /mnt/jffs2/telnet-disabled and execution of /etc/init.d/S42inetd, which is a post-exploitation persistence step.
  • Alert on response body containing 'Starting inetd' from /tools_command.php, indicating successful telnet enablement post-exploitation.
  • ·The authentication bypass only works against ARRIS VAP2500 firmware versions prior to FW08.41; devices running FW08.41 or later are not affected.
  • ·The bypass requires a valid username to exist on the device; the exploit first harvests usernames from /admin.conf before constructing the MD5 cookie value.
  • ·Command execution via tools_command.php requires the authenticated session cookie (p=MD5(username)); the auth bypass and command injection are chained — neither alone is sufficient for full exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.