CVE-2014-3804

AlienVault OSSIM < 4.7.0 - Remote Code Execution via av-centerd SOAP Service

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-3804. PoCs published by Metasploit, James Fitts, Unknown, juan vazquez, including Metasploit module exploits/linux/ids/alienvault_centerd_soap_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in AlienVault OSSIM's av-centerd SOAP service. It leverages insecure use of Perl backticks in the update_system_info_debian_package method to execute arbitrary commands, achieving remote code execution.

Description

The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/33865

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in AlienVault OSSIM's av-centerd SOAP service. It leverages insecure use of Perl backticks in the update_system_info_debian_package method to execute arbitrary commands, achieving remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: AlienVault OSSIM <= 4.6.1

No auth needed

Prerequisites: Network access to the target's av-centerd service (port 40007) · Target running a vulnerable version of AlienVault OSSIM

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by James Fitts · rubyremotelinux

https://www.exploit-db.com/exploits/42708

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in Alienvault OSSIM's av-centerd Util.pm sync_rserver function due to an incomplete blacklist for the $uuid parameter. It sends a maliciously crafted SOAP request to execute arbitrary commands as root.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Alienvault OSSIM av-centerd (version not specified)

No auth needed

Prerequisites: Network access to the target's av-centerd service (port 40007)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Unknown, juan vazquez · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in AlienVault OSSIM av-centerd SOAP web service (CVE-2014-3804). It leverages insecure use of perl backticks in the update_system_info_debian_package method to execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: AlienVault OSSIM <= 4.6.1

No auth needed

Prerequisites: Network access to port 40007 · SOAP service exposed

MITRE ATT&CK