CVE-2013-2579
published 2013-10-11CVE-2013-2579: TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 have an empty password for…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
3.90%
89.0th percentile
TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 have an empty password for the hardcoded "qmik" account, which allows remote attackers to obtain administrative access via a TELNET session.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | lm_firmware | <= 1.6.18p12_sign5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q↗
- →Detect Telnet login attempts using the hardcoded account 'qmik' with no password on TP-Link IP cameras. ↗
- →Monitor HTTP GET requests to /cgi-bin/admin/servetest containing semicolons in parameter values, indicative of OS command injection attempts (e.g., injecting /usr/sbin/telnetd). ↗
- →Alert on unauthenticated POST requests to /cgi-bin/uploadfile, which allows arbitrary file uploads without authentication. ↗
- →Alert on unauthenticated GET/POST requests to /cgi-bin/firmwareupgrade, which allows remote firmware replacement without authentication. ↗
- →The 'qmik' user can escalate to root via 'su'; monitor for 'su' execution following a 'qmik' Telnet session on affected devices. ↗
- →Detect use of Base64-encoded 'admin:admin' credentials (YWRtaW46YWRtaW4=) in HTTP Basic Authorization headers targeting TP-Link camera CGI endpoints. ↗
- ·The hardcoded 'qmik' account with empty password is only exploitable if the Telnet service is running; Telnet can be enabled remotely via the CVE-2013-2578 command injection in /cgi-bin/admin/servetest. ↗
- ·Affected firmware is LM.1.6.18P12_sign5 and earlier; the patched version is LM.1.6.18P12_sign6 (beta). Other TP-Link camera models beyond TL-SC3171 may also be affected but were not confirmed tested. ↗
- ·Factory reset via /cgi-bin/hardfactorydefault enables authentication bypass using 'admin:admin', which can be chained with other vulnerabilities to achieve full device compromise. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2013-10-11
Published