CVE-2014-125121

216.73.217.22

· Published 31/07/2025 15:15 · Modified 31/07/2025 18:42

Labels: CVE-2014-125121 2025-07-31 CVE-2014-125121 CWE-732 [email protected]

Essential information

Published: 31/07/2025 15:15
Modified: 31/07/2025 18:42
Author: —
Creator: —
CVSS: 10.0 CRITICAL (v3) 10.0 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
array networks / vapv	`cpe:2.3:a:array_networks:vapv:8.3.2.17:::::::*`
array networks / vxag	`cpe:2.3:a:array_networks:vxag:9.2.0.34:::::::*`