CVE-2004-2425

Axis Network Camera <2.40 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-2425. PoCs published by bashis.

AI-analyzed exploit summary This exploit leverages a shell metacharacter command injection vulnerability in Axis network cameras to execute arbitrary commands, specifically demonstrating the retrieval of the '/etc/passwd' file. The vulnerability is due to improper input sanitization in the 'virtualinput.cgi' script.

Description

Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands via accent (`) and possibly other shell metacharacters in the query string to virtualinput.cgi.

Exploits (1)

exploitdb WORKING POC VERIFIED

by bashis · textwebappscgi

https://www.exploit-db.com/exploits/24400

View Code ZIP pw:eip

This exploit leverages a shell metacharacter command injection vulnerability in Axis network cameras to execute arbitrary commands, specifically demonstrating the retrieval of the '/etc/passwd' file. The vulnerability is due to improper input sanitization in the 'virtualinput.cgi' script.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Axis 2100, 2110, 2120, 2420 network cameras (firmware 2.34-2.40), Axis 2130, 2401, 2401 video servers

No auth needed

Prerequisites: Network access to the vulnerable Axis device · Vulnerable firmware version

MITRE ATT&CK