cbcvebase.
CVE-2013-5755
published 2014-07-16

CVE-2013-5755: config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.34%
90.0th percentile
config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password of (1) user (s7C9Cx.rLsWFA) for the user account, (2) admin (uoCbM.VEiKQto) for the admin account, and (3) var (jhl3iZAe./qXM) for the var account, which makes it easier for remote attackers to obtain access via unspecified vectors.

Detection & IOCsextracted from sources · hover to see the quote

path/config/.htpasswd
path/cgi-bin/cgiServer.exx
commandsystem("/bin/busybox%20telnetd%20start")
otherAuthorization: Basic YWRtaW46YWRtaW4=
otheruser:s7C9Cx.rLsWFA
otheradmin:uoCbM.VEiKQto
othervar:jhl3iZAe./qXM
  • Detect POST requests to /cgi-bin/cgiServer.exx, particularly with a body containing OS command injection via the system() function
  • Alert on use of the hardcoded Base64 Basic Auth header 'YWRtaW46YWRtaW4=' (admin:admin) in HTTP requests to Yealink SIP-T38G devices
  • Monitor for telnetd activation commands on Yealink SIP-T38G devices, indicating post-exploitation persistence via busybox telnet daemon
  • Flag HTTP requests to /config/.htpasswd on Yealink SIP-T38G devices, as this file contains hardcoded credential hashes
  • ·Three hardcoded accounts exist in /config/.htpasswd with known cleartext passwords: user:user, admin:admin, var:var — all trivially guessable and cannot be changed without firmware modification
  • ·The hardcoded credentials are present in the .htpasswd file as fixed hashes and protect the web management interface; exploitation does not require any prior knowledge beyond these published values
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.