Vulnerability Details : CVE-2014-8687
Public exploit exists!
Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens.
Vulnerability category: Execute code
Products affected by CVE-2014-8687
- cpe:2.3:o:seagate:business_nas_firmware:2014.00319:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8687
52.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-8687
-
Seagate Business NAS Unauthenticated Remote Command Execution
Disclosure Date: 2015-03-01First seen: 2020-04-26exploit/linux/http/seagate_nas_php_exec_noauthSome Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the
CVSS scores for CVE-2014-8687
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2014-8687
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8687
-
http://www.securityfocus.com/bid/72831
Seagate Business Storage 2-Bay NAS CVE-2014-8687 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://beyondbinary.io/articles/seagate-nas-rce/
Beyond Binary - Advisory: Seagate NAS Remote Code Execution VulnerabilityThird Party Advisory
-
https://www.exploit-db.com/exploits/36264/
Seagate Business NAS - Remote Command Execution (Metasploit) - PHP remote ExploitExploit;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/36202/
Seagate Business NAS 2014.00319 - Remote Code Execution - Hardware webapps ExploitExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/130585/Seagate-Business-NAS-2014.00319-Remote-Code-Execution.html
Seagate Business NAS 2014.00319 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
Seagate Business NAS Unauthenticated Remote Command Execution ≈ Packet StormExploit;Third Party Advisory
Jump to