cbcvebase.
CVE-2015-8257
published 2017-05-02

CVE-2015-8257: The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to…

PriorityP270high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.69%
96.8th percentile
The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://xxx.xxx.xxx.xxx/app_license.shtml?app=
urlhttp://xxx.xxx.xxx.xxx/app_license_custom.shtml?app=
urlhttp://xxx.xxx.xxx.xxx/app_index.shtml?app=
urlhttp://xxx.xxx.xxx.xxx/app_params.shtml?app=
path/usr/html/bin/devtools.sh
path{HTMLROOT}/bin/devtools.sh
commandapp=ORWELLLABS%3Bcat%20/etc/passwd
  • Monitor HTTP requests to AXIS camera web interfaces targeting the four vulnerable SHTML endpoints (app_license.shtml, app_license_custom.shtml, app_index.shtml, app_params.shtml) with an 'app' parameter containing URL-encoded shell metacharacters such as %3B (semicolon) to detect command injection attempts.
  • Detect process execution of devtools.sh invoked via '/bin/sh -c' on AXIS devices, particularly when the argument contains unexpected characters beyond a simple application name, indicating shell injection.
  • Alert on HTTP GET requests to AXIS camera endpoints where the 'app' query parameter contains URL-encoded metacharacters (%3B, %20, %7C, %26, etc.) indicative of OS command injection via shell metacharacters.
  • The vulnerable script passes user input unsanitized to shell functions including confvariable(), which uses eval — look for process trees where devtools.sh spawns unexpected child processes (e.g., cat, wget, nc) as root.
  • ·Exploitation requires prior authentication — the vulnerability is only reachable by remote authenticated users, reducing the attack surface to compromised or default credentials.
  • ·The firmware hashes provided are MD5 hashes of the full firmware images for affected products; they can be used to confirm whether a specific firmware binary contains the vulnerable devtools.sh script, but do not directly hash the script itself.
  • ·The vulnerability is triggered through BusyBox running with root privileges on all affected binaries and scripts, meaning successful exploitation yields root-level command execution.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.