// For flags

CVE-2014-8424

ARRIS VAP2500 Management Portal Authentication Bypass Vulnerability

Severity Score

7.8
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

ARRIS VAP2500 anterior a FW08.41 no valida debidamente las contraseñas, lo que permite a atacantes remotos evadir la autenticación.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of user authentication. The issue lies in the failure to compare the password when authenticating. An attacker can leverage this vulnerability to bypass authentication checks which can then be chained to execute code with root privileges.

*Credits: Ricky "HeadlessZeke" Lawshae
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-10-22 CVE Reserved
  • 2014-11-25 CVE Published
  • 2014-11-25 First Exploit
  • 2024-04-03 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-287: Improper Authentication
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Arris
Search vendor "Arris"
 Vap2500 Firmware
Search vendor "Arris" for product "Vap2500 Firmware"
 <= 08.41
Search vendor "Arris" for product "Vap2500 Firmware" and version " <= 08.41"
-
Affected