CVE-2014-9727
published 2015-05-29CVE-2014-9727: AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.84%
99.3th percentile
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://ip/cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=%26%20cat%20/var/flash/voip.cfg%20%26↗
- →Detect unauthenticated HTTP requests to /cgi-bin/webcm containing shell metacharacters (e.g., %26, &, ;) in the var:lang parameter, which indicates exploitation of CVE-2014-9727. ↗
- →The Metasploit module targets Fritz!Box 7270 (and models 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270, 7170, 7140, 7113, 6840 LTE, 6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270) via the webcm endpoint — use device model fingerprinting to prioritize monitoring. ↗
- →Look for path traversal patterns in the getpage parameter (e.g., ../html/menus/menu2.html) combined with shell metacharacters in var:lang as a compound exploitation signature. ↗
- ·Exploitation is from the LAN side per Metasploit module testing notes, though the NVD description says 'remote attackers' — confirm network exposure context before assuming internet-facing risk. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xw24-98q7-5jvx: AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm
ghsa_unreviewed·2022-05-14
CVE-2014-9727 [HIGH] CWE-78 GHSA-xw24-98q7-5jvx: AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
VulnCheck
avm fritz\!box Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2014·CVSS 10.0
CVE-2014-9727 [CRITICAL] avm fritz\!box Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
avm fritz\!box Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
Affected: avm fritz\!box
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://unit42.paloaltonetworks.com/mirai-variant-v3g4/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-02&host_type=src&vulnerability=cve-2014-9727; https://dashboard.shadowserver.org/statistics/honeypot/v
No detection rules found.
Exploit-DB
Fritz!Box - Remote Command Execution
exploitdb·2014-05-01
CVE-2014-9727 Fritz!Box - Remote Command Execution
Fritz!Box - Remote Command Execution
---
App : Fritz!Box
Author : 0x4148
Fritz!Box is Networking/voice Over ip router produced by AVM it suffer from Unauthenticated remote command execution flaw
Poc :
https://ip/cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=%26%20cat%20/var/flash/voip.cfg%20%26
#0x4148_rise
Metasploit
Fritz!Box Webcm Unauthenticated Command Injection
metasploit
Fritz!Box Webcm Unauthenticated Command Injection
Fritz!Box Webcm Unauthenticated Command Injection
Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection. This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270, 7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE, 6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geut
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
Securelist
Honeypots and the Internet of Things
blogs_securelist·2017-06-19
Honeypots and the Internet of Things
Table of Contents
Threat to the end user
The main problems of smart devices
Firmware
Passwords, telnet and SSH
Statistics
Geography of infected devices
Geographical distribution of server IP addresses from which malware is downloaded to devices
Distribution of attack activity by days of the week
Conclusion
Authors
Vladimir Kuskov
Mikhail Kuzin
Yaroslav Shmelev
Denis Makrushin
Igor Grachev
## Analysis of data harvested by Kaspersky Lab’s IoT honeytraps
There were a number of incidents in 2016 that triggered increased interest in the security of so-called IoT or ‘smart’ devices. They included, among others, the record-breaking DDoS attacks against the French hosting provider OVH and the US DNS provider Dyn. These attacks are known to have been launched with the help of a mas
Securelist
Honeypots and the Internet of Things
blogs_securelist·2017-06-19
Honeypots and the Internet of Things
Table of Contents
- Threat to the end user
- The main problems of smart devices
- Passwords, telnet and SSH
- Statistics
- Geography of infected devices
- Geographical distribution of server IP addresses from which malware is downloaded to devices
- Distribution of attack activity by days of the week
- Conclusion
Authors
- Vladimir Kuskov
- Mikhail Kuzin
- Yaroslav Shmelev
- Denis Makrushin
- Igor Grachev
## Analysis of data harvested by Kaspersky Lab’s IoT honeytraps
There were a number of incidents in 2016 that triggered increased interest in the security of so-called IoT or ‘smart’ devices. They included, among others, the record-breaking DDoS attacks against the French hosting provider OVH and the US DNS provider Dyn. These attacks are known to have been launched with the help o
http://www.exploit-db.com/exploits/33136http://www.osvdb.org/103289https://www.trustwave.com/Resources/SpiderLabs-Blog/-Honeypot-Alert--Fritz%21Box-%E2%80%93-Remote-Command-Execution-Exploit-Attempt/http://www.exploit-db.com/exploits/33136http://www.osvdb.org/103289https://www.trustwave.com/Resources/SpiderLabs-Blog/-Honeypot-Alert--Fritz%21Box-%E2%80%93-Remote-Command-Execution-Exploit-Attempt/
2015-05-29
Published
Exploited in the wild