cbcvebase.
CVE-2013-2572
published 2020-01-29

CVE-2013-2572: A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 3130, TL-SC 3130G, 3171G, 4171G, and 3130 1.6.18P12 due to default hard-coded credentials…

PriorityP266high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.43%
96.6th percentile
A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 3130, TL-SC 3130G, 3171G, 4171G, and 3130 1.6.18P12 due to default hard-coded credentials for the administrative Web interface, which could let a malicious user obtain unauthorized access to CGI files.

Affected

4 ranges
VendorProductVersion rangeFixed in
tp-linktl-sc_3130_firmware<= 1.6.18p12
tp-linktl-sc_3130g_firmware<= 1.6.18p12
tp-linktl-sc_3171g_firmware<= 1.6.18p12
tp-linktl-sc_4171g_firmware<= 1.6.18p12

Detection & IOCsextracted from sources · hover to see the quote

otherusername: manufacture / password: erutcafunam
path/cgi-bin/mft/manufacture.cgi
urlhttp://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales
filenameboa.conf
commandMFT manufacture erutcafunam
  • Detect HTTP requests to the hidden /cgi-bin/mft/ endpoint, which is not exposed in the normal user web interface and should never be accessed by legitimate users.
  • Alert on HTTP Basic Auth attempts using the hardcoded credential pair 'manufacture' / 'erutcafunam' against TP-Link camera web interfaces.
  • Detect OS command injection attempts via the 'ap' parameter in requests to wireless_mft.cgi, particularly use of semicolons to chain shell commands (e.g., ';cp%20').
  • ·The hardcoded 'manufacture' account is not visible from the user web interface and cannot be removed or changed by end users — it is baked into boa.conf in firmware v1.6.18P12 and below.
  • ·CVE-2013-2572 (hard-coded credentials) was confirmed to work on TL-SC 3130 only, while the related CVE-2013-2573 (command injection via wireless_mft.cgi) affects TL-SC 3130G, 3171G, and 4171G as well.
  • ·Other TP-Link camera models and firmware versions beyond those tested may also be affected but were not verified.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.