Cyber Resilience

CVE-2014-6271

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 24 September 2014

Published
24 September 2014
Modified
22 April 2026
KEV Added
28 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 1.0000 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2014-6271 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ibm Qradar Security Information And Event Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

GNU Bash through 4.3 contains a flaw that causes it to process trailing strings after function definitions within environment variable values. This affects the Bash shell itself and surfaces in any context where Bash is invoked across a privilege boundary, including OpenSSH's ForceCommand feature, Apache HTTP Server mod_cgi and mod_cgid modules, certain DHCP client scripts, and similar configurations.

Remote attackers can supply a crafted environment variable to execute arbitrary code without authentication or user interaction. Successful exploitation grants complete control over the affected process, enabling full read, write, and execute access as indicated by the CVSS 9.8 rating and CWE-78 classification.

The initial remediation for this issue proved incomplete, resulting in the assignment of CVE-2014-7169 for the residual vulnerability. Vendor advisories such as those from Mageia, Juniper, JVN, and related sources document the necessary updates and configuration changes.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the…

more

mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

CWE(s)
KEV Date Added
28 January 2022

Related Threats

CVEs Like This One

CVE-2025-22225Same product class: hypervisor / virtualizationboth on KEV
CVE-2025-22224Same product class: hypervisor / virtualizationboth on KEV
CVE-2025-22226Same product class: hypervisor / virtualizationboth on KEV
CVE-2025-66644Shared CWE-78both on KEV
CVE-2024-50603Shared CWE-78both on KEV
CVE-2025-11953Shared CWE-78both on KEV
CVE-2024-40890Shared CWE-78both on KEV
CVE-2025-48703Shared CWE-78both on KEV
CVE-2025-58034Shared CWE-78both on KEV
CVE-2024-40891Shared CWE-78both on KEV

Affected Assets

gnu
bash
≤ 4.3
arista
eos
4.9.0 — 4.9.12 · 4.10.0 — 4.10.9 · 4.11.0 — 4.11.11
oracle
linux
4, 5, 6
qnap
qts
4.1.1 · ≤ 4.1.1
mageia
mageia
3.0, 4.0
redhat
gluster storage server for on-premise
2.1
redhat
virtualization
3.4
redhat
enterprise linux
4.0, 5.0, 6.0, 7.0
redhat
enterprise linux desktop
5.0, 6.0, 7.0
redhat
enterprise linux eus
5.9, 6.4, 6.5, 7.3, 7.4
+64 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that correct the Bash function-definition parsing flaw enabling unauthenticated remote code execution.

prevent

Limits privileges of processes (sshd ForceCommand, Apache CGI, DHCP clients) that receive attacker-supplied environment variables, reducing impact of successful exploitation.

preventdetect

Deploys malicious-code detection mechanisms that can block or alert on the arbitrary commands injected through crafted Bash environment variables.

References