Description

Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH loginĀ or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.

INFO

Published Date :

2025-07-31T14:52:45.290Z

Last Modified :

2025-07-31T15:17:56.760Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2014-125121 vulnerability.

Vendors Products
Arraynetworks
  • Vapv
  • Vxag
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2014-125121.

URL Resource
https://packetstorm.news/files/id/125761 cve-icon cve-icon
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb cve-icon cve-icon
https://www.exploit-db.com/exploits/32440 cve-icon cve-icon
https://www.vulncheck.com/advisories/array-networks-vapv-vxag-default-credential-privilege-escalation cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability