CVE-2014-9118

The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell...

Basic Information

CVE State: PUBLISHED
Reserved Date: November 26, 2014
Published Date: October 17, 2017
Last Updated: August 06, 2024
Vendor: n/a
Product: n/a
Description: The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.

CVSS Scores

CVSS v3.0

8.8 - HIGH

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

9.0

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploit Status

Exploited in the Wild: Yes (2026-01-01 00:00:00 UTC) Source

References

http://seclists.org/fulldisclosure/2015/Oct/57 https://www.exploit-db.com/exploits/38453/ http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html http://www.securityfocus.com/archive/1/536663/100/0/threaded

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-01-01 00:00:00 UTC

Timeline

CVE ID Reserved

November 26, 2014
CVE Published to Public

October 17, 2017
Added to KEVIntel

January 01, 2026