CVE-2014-125121
BaseFortify
Publication date: 2025-07-31
Last updated on: 2025-07-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| array_networks | vxag | 9.2.0.34 |
| array_networks | vapv | 8.3.2.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Array Networks vAPV and vxAG appliances due to hardcoded SSH credentials or a hardcoded SSH private key combined with insecure permissions on a startup script. An attacker can remotely authenticate with limited privileges using these credentials, then overwrite a world-writable startup script (/ca/bin/monitor.sh) with arbitrary commands. When the debug monitor is enabled, this script runs with elevated privileges, allowing the attacker to execute their payload as root and fully compromise the system.
How can this vulnerability impact me? :
The vulnerability allows an attacker to gain full root access to the affected device remotely. This means the attacker can take complete control over the system, potentially leading to data theft, disruption of services, unauthorized changes, and further attacks within the network.