GenieACS – Unauthenticated Remote Code Execution

The vulnerability (CVE-2014-4956) allows an attacker to execute JS code (the system utilizes Node.js) at a vulnerable GenieACS server, resulting in complete server compromise. GenieACS is an open sourced implementation of an ACS (Auto Configuration Server) written in Node.js. It is popular in the ISP industry as a convenient way of cheaply implementing the TR-069 protocol.