CVE-2015-10145

HighPublic PoC

Published: 31 December 2025

Published

31 December 2025

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the…

underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of the 'commands' parameter in run_commands.sh to block arbitrary OS command injection.

SI-9 Information Input Restrictions good match

prevent

Restricts the types, sources, and amounts of command inputs accepted by the vulnerable utility, preventing malicious shell commands.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on authenticated users and processes handling the commands parameter, limiting the scope of command execution and potential compromise.

Security SummaryAI

CVE-2015-10145 is an authenticated OS command execution vulnerability affecting Gargoyle router management utility versions 1.5.x. The issue resides in the /utility/run_commands.sh component, where the application fails to properly restrict or validate input supplied via the 'commands' parameter. This allows an authenticated attacker to execute arbitrary shell commands on the underlying system. The vulnerability is classified under CWE-78 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables arbitrary shell command execution, which may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.

Advisories from sources like VulnCheck detail the authenticated OS command execution via run_commands.sh, while PacketStorm provides related exploit information. Blogs from Xlab discuss the vulnerability in the context of the large-scale Airashi botnet.

This vulnerability has seen real-world exploitation, notably as part of the Airashi botnet campaign referenced in security blogs.

Details

CWE(s): CWE-78

Affected Products

gargoyle-router

gargoyle

1.5.0 — 1.5.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability allows authenticated remote exploitation of a public-facing router management web application (T1190) to achieve arbitrary OS command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://packetstorm.news/files/id/132149
Exploit · disclosure@vulncheck.com
https://www.gargoyle-router.com/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/gargoyle-authenticated-os-command-execution-via-run-commands-sh
Third Party Advisory · disclosure@vulncheck.com
https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0