CVE-2014-9118

HIGH EXPLOITED

Zhone zNID GPON 2426A <S3.0.501 - RCE

Title source: llm

Description

The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.

Exploits (1)

exploitdb WRITEUP

by Lyon Yang · textremotehardware

https://www.exploit-db.com/exploits/38453

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2015/Oct/57

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/38453/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/536663/100/0/threaded

Scores

CVSS v3 8.8

EPSS 0.5229

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-04-12

CWE

CWE-77

Status published

Products (1)

dasanzhone/znid_2426a_firmware

Published Oct 17, 2017

Tracked Since Feb 18, 2026