cbcvebase.
CVE-2011-0885
published 2011-02-08

CVE-2011-0885: A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.07%
95.0th percentile
A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface.

Affected

2 ranges
VendorProductVersion rangeFixed in
smc_networkssmcd3g-ccr_firmware<= 1.4.0.49
smc_networkssmcd3g-ccr_firmware

Detection & IOCsextracted from sources · hover to see the quote

othermso:D0nt4g3tme
cookieuserid=<epoch_timestamp>
urlhttp://10.1.10.1/admin/index.asp
commandcurl -sb userid=$i http://10.1.10.1/admin/index.asp | grep -c login.asp
  • Detect login attempts using the default credential 'mso' / 'D0nt4g3tme' against the web interface (port 80/443) or Telnet interface of SMC SMCD3G-CCR devices.
  • Monitor for sequential/brute-force HTTP requests to /admin/index.asp with incrementing integer 'userid' cookie values (epoch-range), indicative of session ID brute-forcing.
  • Alert on CSRF-style POST requests to the gateway management interface pages (e.g., remote administration, DNS, NAT config pages) originating from unexpected referrers or cross-origin contexts.
  • Flag any successful Telnet sessions to the gateway device using the 'mso' account, as this grants UID 0 (root) shell access.
  • ·The default 'mso' password is not surfaced during device installation and users are not prompted to change it, meaning most deployed devices retain the vulnerable default credential.
  • ·Session brute-force attack window is limited to approximately 10 minutes due to session expiry, but can be combined with other attack vectors (e.g., CSRF) to increase effectiveness.
  • ·Only firmware versions prior to 1.4.0.49.2 are affected; the fixed version can be verified via the 'About' link in the management interface.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.