CVE-2014-6278

CVE Database · CVE-2014-6278

CVE-2014-6278

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

99.62%

Published

Sep 30, 2014

Modified

Apr 22, 2026

CISA Known Exploited Vulnerability

Added: 2025-10-02 · Due: 2025-10-23

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (6)

All weaponized →

Exploit-DBSun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Injection (Shellshock)Exploit-DBCisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock)Exploit-DBApache mod_cgi - 'Shellshock' Remote Command Injection Exploit-DBdhclient 4.1 - Bash Environment Variable Command Injection (Shellshock)Exploit-DBGNU bash 4.3.11 - Environment Variable dhclient TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78CWE-78

Affected Products (28)

gnu · bashvulnerable