cbcvebase.
CVE-2013-2579
published 2013-10-11

CVE-2013-2579: TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 have an empty password for…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
3.90%
89.0th percentile
TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 have an empty password for the hardcoded "qmik" account, which allows remote attackers to obtain administrative access via a TELNET session.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linklm_firmware<= 1.6.18p12_sign5

Detection & IOCsextracted from sources · hover to see the quote

otherusername: qmik / password: (none)
path/cgi-bin/admin/servetest
path/cgi-bin/uploadfile
path/cgi-bin/firmwareupgrade
path/cgi-bin/reboot
path/cgi-bin/hardfactorydefault
url/cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q
command/usr/sbin/telnetd
otherAuthorization: Basic YWRtaW46YWRtaW4=
path/mnt/mtd
filenameCOM_T01F001_LM.1.6.18P12_sign5_TPL.TL-SC3171.bin
  • Detect Telnet login attempts using the hardcoded account 'qmik' with no password on TP-Link IP cameras.
  • Monitor HTTP GET requests to /cgi-bin/admin/servetest containing semicolons in parameter values, indicative of OS command injection attempts (e.g., injecting /usr/sbin/telnetd).
  • Alert on unauthenticated POST requests to /cgi-bin/uploadfile, which allows arbitrary file uploads without authentication.
  • Alert on unauthenticated GET/POST requests to /cgi-bin/firmwareupgrade, which allows remote firmware replacement without authentication.
  • The 'qmik' user can escalate to root via 'su'; monitor for 'su' execution following a 'qmik' Telnet session on affected devices.
  • Detect use of Base64-encoded 'admin:admin' credentials (YWRtaW46YWRtaW4=) in HTTP Basic Authorization headers targeting TP-Link camera CGI endpoints.
  • ·The hardcoded 'qmik' account with empty password is only exploitable if the Telnet service is running; Telnet can be enabled remotely via the CVE-2013-2578 command injection in /cgi-bin/admin/servetest.
  • ·Affected firmware is LM.1.6.18P12_sign5 and earlier; the patched version is LM.1.6.18P12_sign6 (beta). Other TP-Link camera models beyond TL-SC3171 may also be affected but were not confirmed tested.
  • ·Factory reset via /cgi-bin/hardfactorydefault enables authentication bypass using 'admin:admin', which can be chained with other vulnerabilities to achieve full device compromise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.