CVE-2014-8356

HIGH EXPLOITED

Zhone zNID 2426A < s3.0.501 - Authenticated Authorization Bypass via Insecure Direct Object Reference

Title source: llm

Exploitation Summary

CVE-2014-8356 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Lyon Yang.

AI-analyzed exploit summary This advisory details multiple vulnerabilities in Zhone ZNID GPON routers, including insecure direct object reference, password disclosure, remote command injection, XSS, and privilege escalation. It provides proof-of-concept steps and affected URLs but does not include executable exploit code.

Description

The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference.

Exploits (1)

exploitdb WRITEUP

by Lyon Yang · textremotehardware

https://www.exploit-db.com/exploits/38453

View Code ZIP pw:eip

This advisory details multiple vulnerabilities in Zhone ZNID GPON routers, including insecure direct object reference, password disclosure, remote command injection, XSS, and privilege escalation. It provides proof-of-concept steps and affected URLs but does not include executable exploit code.

Classification

Writeup 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Zhone ZNID GPON 2426A (and related models) < S3.0.501

Auth required

Prerequisites: Access to the router's web interface · Low-privileged credentials

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/38453/

Exploit, Mailing List, Third Party Advisory x_refsource_misc

http://seclists.org/fulldisclosure/2015/Oct/57

Scores

CVSS v3 8.8

EPSS 0.0564

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-04-13

CWE

CWE-639

Status published

Products (1)

dasanzhone/znid_2426a_firmware < s3.0.501

Published Nov 21, 2019

Tracked Since Feb 18, 2026