cbcvebase.
CVE-2014-8687
published 2017-06-08

CVE-2014-8687: Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.81%
98.6th percentile
Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens.

Affected

1 ranges
VendorProductVersion rangeFixed in
seagatebusiness_nas_firmware

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts by inspecting the 'ci_session' cookie for a base64+XOR-encoded PHP serialized object containing a 'language' key with a null-byte path traversal sequence (e.g. '../../../etc/devicedesc\x00'), which is the LFI trigger for this CVE.
  • Flag HTTP responses containing both 'X-Powered-By: PHP/5.2.13' and 'Server: lighttpd/1.4.28' headers alongside a body containing 'Login to BlackArmor' as indicators of a vulnerable Seagate Business NAS device.
  • Alert on POST requests to '/index.php/mv_system/set_general_setup' containing a 'general_setup' parameter with XML-encoded PHP code (e.g. 'file_put_contents'), which is the stager upload step of the exploit.
  • Monitor for GET requests to randomly named PHP files at the web root (matching pattern /_[a-zA-Z0-9]{3}\.php/) on Seagate NAS devices, which correspond to the dropped webshell payload file.
  • Detect the static XOR key '0f0a000d02011f0248000d290d0b0b0e03010e07' in network traffic or tool configurations; its presence indicates use of the known Seagate NAS session forgery technique.
  • Detect unauthenticated access to '/index.php/mv_system/get_general_setup' or '/index.php/mv_system/set_general_setup' endpoints, especially with a forged ci_session cookie setting 'is_admin' to 'yes'.
  • ·The static XOR key and cookie name ('ci_session') are hardcoded defaults in the exploit; defenders should not rely on cookie name changes alone as a mitigation since the key is universally the same across all affected devices.
  • ·The exploit is pre-authentication and targets the login page directly; network-level access controls blocking the web UI port are the primary mitigation until firmware 2015.00322 or later is applied.
  • ·The webshell filename is randomized per exploitation run (UUID or random alphanumeric prefix), so file-based detection must use pattern matching rather than a fixed filename.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.