CVE-2014-6278

HIGH KEV

GNU Bash through 4.3 bash43-026 - Remote Code Execution via Environment Variable Function Parsing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-6278 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 2, 2025. EIP tracks 10 public exploits from researchers including Federico Galatolo, lastc0de, thatchriseckert, including a Metasploit module auxiliary/scanner/http/apache_mod_cgi_bash_env.

AI-analyzed exploit summary This exploit leverages the Shellshock vulnerability (CVE-2014-6278) in Apache mod_cgi to execute arbitrary commands via maliciously crafted HTTP headers. It supports both reverse and bind shell payloads for remote code execution.

Description

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Federico Galatolo · pythonremotelinux
https://www.exploit-db.com/exploits/34900

This exploit leverages the Shellshock vulnerability (CVE-2014-6278) in Apache mod_cgi to execute arbitrary commands via maliciously crafted HTTP headers. It supports both reverse and bind shell payloads for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server with mod_cgi (vulnerable to Shellshock)
No auth needed
Prerequisites: Target must be vulnerable to Shellshock (CVE-2014-6278) · Access to a vulnerable CGI script on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by lastc0de · textwebappscgi
https://www.exploit-db.com/exploits/39887

This exploit leverages the ShellShock vulnerability (CVE-2014-6278) in Sun Secure Global Desktop and Oracle Global Desktop by injecting a malicious HTTP User-Agent header to execute arbitrary commands on the target system. The PoC demonstrates command injection via a crafted curl request to the vulnerable CGI script.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sun Secure Global Desktop & Oracle Global Desktop 4.61.915
No auth needed
Prerequisites: Vulnerable version of Sun Secure Global Desktop or Oracle Global Desktop · Network access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by thatchriseckert · pythonremotehardware
https://www.exploit-db.com/exploits/39568

This exploit leverages the Shellshock vulnerability (CVE-2014-6278) in Cisco UCS Manager 2.1(1b) to execute arbitrary commands via a maliciously crafted User-Agent header, resulting in a reverse shell. It first checks for vulnerability by fetching /etc/passwd before attempting to spawn the shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cisco UCS Manager 2.1(1b)
No auth needed
Prerequisites: Network access to the target · Bash environment variable injection vulnerability (Shellshock)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WRITEUP
remote
https://github.com/veeeveeeveee/tabijibiyori-wgetCloud-al5tVPOHMdTt9x2d

This repository provides a detailed technical walkthrough of exploiting CVE-2014-6278 (Shellshock), including vulnerability verification, payload generation, and privilege escalation techniques. It includes practical examples of using curl to trigger the vulnerability and Python to upgrade shells.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GNU Bash versions before 4.3
No auth needed
Prerequisites: Vulnerable Bash version · Access to a CGI script or service that passes environment variables to Bash
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/threat9/routersploit

This repository contains the RouterSploit framework, an exploitation toolkit for embedded devices, including modules for exploits, credential testing, scanners, and payloads. It is designed to test and exploit vulnerabilities in routers and other embedded systems.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Embedded devices (routers, cameras, etc.)
No auth needed
Prerequisites: Python 3.6+ · network access to target device
devstral-2 · analyzed Feb 25, 2026 Full analysis →
exploitdb WORKING POC
pythonremotelinux
https://www.exploit-db.com/exploits/34860

This exploit leverages the Shellshock vulnerability (CVE-2014-6278) in Bash by crafting malicious DHCP packets with a payload in the URL option (114) to trigger remote code execution. It listens for DHCP DISCOVER broadcasts, extracts client details, and responds with malicious OFFER and ACK packets containing a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GNU Bash 4.3.11
No auth needed
Prerequisites: Network access to broadcast DHCP traffic · Vulnerable Bash version on target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
pythonremotelinux
https://www.exploit-db.com/exploits/36933

This exploit leverages the ShellShock vulnerability (CVE-2014-6278) by injecting malicious environment variables via DHCP responses. It crafts DHCP Offer/ACK packets with a payload in the 'dump_path' option, which is processed by the vulnerable Bash shell when the victim's dhclient executes the environment variable.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Bash (versions affected by ShellShock), dhclient
No auth needed
Prerequisites: Network access to the target's DHCP traffic · Vulnerable Bash version on the target system · Target system using dhclient for DHCP
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC
by Stephane Chazelas, wvu, lcamtuf · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb

This Metasploit module exploits CVE-2014-6271 (Shellshock) by injecting malicious environment variables into CGI scripts via HTTP headers, allowing remote command execution. It includes checks for both CVE-2014-6271 and CVE-2014-6278.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server with mod_cgi and vulnerable Bash versions
No auth needed
Prerequisites: Vulnerable Bash version (1.14 through 4.3) · Apache mod_cgi enabled · Accessible CGI script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Stephane Chazelas, wvu, juan vazquez, s module to get native sessions · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb

This Metasploit module exploits the Shellshock vulnerability (CVE-2014-6271 and CVE-2014-6278) in Bash by injecting malicious environment variables via HTTP headers to achieve remote code execution on vulnerable Apache mod_cgi configurations.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server with mod_cgi and Bash (versions prior to patches for Shellshock)
No auth needed
Prerequisites: Vulnerable Bash version · Apache mod_cgi enabled · Accessible CGI script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Stephane Chazelas, lcamtuf, bcoles · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cups_bash_env_exec.rb

This Metasploit module exploits the Shellshock vulnerability (CVE-2014-6271) in CUPS by injecting malicious environment variables through PRINTER_INFO and PRINTER_LOCATION. It leverages Bash's flawed environment variable handling to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CUPS (Common Unix Printing System) versions 1.4.3, 1.5.3, 1.6.2, 1.7.2
Auth required
Prerequisites: Valid CUPS credentials · Network access to CUPS service (port 631) · Vulnerable Bash version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (111)

Core 111
Core References
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141577137423233&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=142721162228379&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=142358026505815&w=2
Third Party Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN55667175/index.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60433
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141383026420882&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141585637922673&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141576728022234&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61816
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61442
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=142358078406056&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61283
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61654
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2380-1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62312
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141879528318582&w=2
Third Party Advisory x_refsource_confirm
https://security-tracker.debian.org/tracker/CVE-2014-6278
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=142118135300698&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61703
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61065
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141383196021590&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141383081521087&w=2
Third Party Advisory third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61641
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39887/
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60325
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60024
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1147414
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62343
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61565
Various Sources x_refsource_confirm
https://www.suse.com/support/shellshock/
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141450491804793&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61313
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61485
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141577297623641&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141383244821813&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61312
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60193
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60063
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60034
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59907
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/58200
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141577241923505&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61643
Vendor Advisory x_refsource_confirm
http://www.novell.com/support/kb/doc.php?id=7015721
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61503
Vendor Advisory x_refsource_confirm
http://support.novell.com/security/cve/CVE-2014-6278.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141383465822787&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61552
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61780
Vendor Advisory x_refsource_confirm
https://support.citrix.com/article/CTX200223
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39568/
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141330468527613&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60044
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61291
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141345648114150&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61287
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141383353622268&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141383304022067&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61128
Vendor Advisory x_refsource_confirm
https://support.citrix.com/article/CTX200217
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61471
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60055
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59961
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61550
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61633
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61328
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61129
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61603
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61857
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21685749
Various Sources x_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-3093
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686479
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21685541
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21685604
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686445
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686131
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21685914
Various Sources x_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-3094
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21687079
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686246
Various Sources x_refsource_confirm
http://www.qnap.com/i/en/support/con_show.php?cid=61
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686494
Various Sources x_refsource_confirm
https://kb.bluecoat.com/index?page=content&id=SA82
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21685733

Scores

CVSS v3 8.8
EPSS 0.9169
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-10-02
VulnCheck KEV 2018-03-01
ENISA EUVD EUVD-2014-6163
CWE
CWE-78
Status published
Products (25)
gnu/bash 1.14.0
gnu/bash 1.14.1
gnu/bash 1.14.2
gnu/bash 1.14.3
gnu/bash 1.14.4
gnu/bash 1.14.5
gnu/bash 1.14.6
gnu/bash 1.14.7
gnu/bash 2.0
gnu/bash 2.01
... and 15 more
Published Sep 30, 2014
KEV Added Oct 02, 2025
Tracked Since Feb 18, 2026