Vulnerability Details : CVE-2014-8423
Public exploit exists!
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.
Exploit prediction scoring system (EPSS) score for CVE-2014-8423
Probability of exploitation activity in the next 30 days: 40.91%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 97 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2014-8423
-
Arris VAP2500 tools_command.php Command Execution
Disclosure Date: 2014-11-25First seen: 2020-04-26exploit/linux/http/vap2500_tools_command_execArris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid
CVSS scores for CVE-2014-8423
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2014-8423
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8423
-
http://www.zerodayinitiative.com/advisories/ZDI-14-389/
ZDI-14-389 | Zero Day Initiative
Products affected by CVE-2014-8423
- cpe:2.3:o:arris:vap2500_firmware:*:*:*:*:*:*:*:*