cbcvebase.
CVE-2014-9727
published 2015-05-29

CVE-2014-9727: AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.

PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.84%
99.3th percentile
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://ip/cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=%26%20cat%20/var/flash/voip.cfg%20%26
path/cgi-bin/webcm
path/var/flash/voip.cfg
  • Detect unauthenticated HTTP requests to /cgi-bin/webcm containing shell metacharacters (e.g., %26, &, ;) in the var:lang parameter, which indicates exploitation of CVE-2014-9727.
  • The Metasploit module targets Fritz!Box 7270 (and models 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270, 7170, 7140, 7113, 6840 LTE, 6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270) via the webcm endpoint — use device model fingerprinting to prioritize monitoring.
  • Look for path traversal patterns in the getpage parameter (e.g., ../html/menus/menu2.html) combined with shell metacharacters in var:lang as a compound exploitation signature.
  • ·Exploitation is from the LAN side per Metasploit module testing notes, though the NVD description says 'remote attackers' — confirm network exposure context before assuming internet-facing risk.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.