CVE-2014-8424

ARRIS VAP2500 < 08.41 - Authentication Bypass via Improper Password Validation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-8424. PoCs published by HeadlessZeke, including Metasploit module exploits/linux/http/vap2500_tools_command_exec.

AI-analyzed exploit summary This Metasploit module exploits an OS command injection vulnerability in Arris VAP2500 access points via the tools_command.php page, bypassing authentication by setting a cookie to an MD5 hash of a valid username.

Description

ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

Exploits (2)

metasploit WORKING POC NORMAL

by HeadlessZeke · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vap2500_tools_command_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an OS command injection vulnerability in Arris VAP2500 access points via the tools_command.php page, bypassing authentication by setting a cookie to an MD5 hash of a valid username.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Arris VAP2500 access points

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

exploitdb WORKING POC

rubywebappshardware

https://www.exploit-db.com/exploits/35372

View Code ZIP pw:eip

This Ruby script exploits an authentication bypass vulnerability in VAP2500 devices by leveraging weak MD5-based session cookies to execute arbitrary commands as root, modify the root password, and enable telnet access.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: VAP2500 (firmware version unspecified)

No auth needed

Prerequisites: Network access to the VAP2500 device · Telnet service must be disabled initially

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

http://www.zerodayinitiative.com/advisories/ZDI-14-388/

Scores

EPSS 0.5962

EPSS Percentile 99.0%

Details

CWE

CWE-287

Status published

Products (1)

arris/vap2500_firmware < 08.41

Published Nov 28, 2014

Tracked Since Feb 18, 2026