CVE-2017-8336
Description
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in overflowing the stack set up and allow an attacker to control the $ra register stored on the stack. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request. The POST parameter "gateway" allows to overflow the stack and control the $ra register after 1546 characters. The value from this post parameter is then copied on the stack at address 0x00421348 as shown below. This allows an attacker to provide the payload of his/her choice and finally take control of the device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer overflow in the gateway POST parameter of Securifi Almond devices lets attackers control execution via the $ra register.
Vulnerability
A stack buffer overflow vulnerability exists in the "goahead" binary on Securifi Almond, Almond+, and Almond 2015 devices running firmware version AL-R096 [1][2]. The flaw is located in the sub_00420F38 function, which processes the POST parameter "gateway" when the user adds a new route. The input is copied onto the stack at address 0x00421348 without proper bounds checking, allowing an overflow after 1546 characters [1].
Exploitation
An attacker must be able to send a crafted HTTP POST request to the device's web interface (goahead), which requires network access to the management interface. No authentication is mentioned as a prerequisite. By supplying a "gateway" parameter value longer than 1546 bytes, the attacker overwrites the saved $ra register on the stack [1]. This control over the return address enables arbitrary code execution in the MIPS little-endian environment.
Impact
Successful exploitation allows the attacker to execute arbitrary code with the privileges of the goahead process, which typically runs with root or high-level access on the device [1]. This leads to full compromise of the device, including the ability to alter configuration, exfiltrate data, or launch further attacks.
Mitigation
As of the available references [1][2], a patched firmware version has not been publicly disclosed. Users are advised to restrict network access to the device's management interface, monitor for firmware updates from Securifi, and consider replacing the device if it reaches end-of-life. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Securifi/Almonddescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153227/Securifi-Almond-2015-Buffer-Overflow-Command-Injection-XSS-CSRF.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Securifi_Almond_plus_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.