CVE-2013-7248
published 2014-01-26CVE-2013-7248: Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 has a hardcoded password for the roleDiag account, which allows…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.34%
90.0th percentile
Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 has a hardcoded password for the roleDiag account, which allows remote attackers to gain root privileges, as demonstrated using a cmdWebCheckRole action in a TSA_REQUEST.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| franklinfueling | ts-550_evo_firmware | — | — |
| franklinfueling | ts-550_evo_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /cgi-bin/tsaws.cgi on port 10001, particularly those containing the cmdWebCheckRole or cmdWebGetConfiguration action parameters, which indicate exploitation attempts against the TS-550 evo device. ↗
- →Alert on authentication attempts using the account name 'roleDiag' on the TS-550 evo web interface, as this is the hardcoded privileged account targeted by CVE-2013-7248. ↗
- →The roleDiag password is derived by DES-encrypting the 'key' value returned in every POST response from tsaws.cgi using the fixed salt 'aa' and plaintext '11111111'. Detect by monitoring for SSH enablement actions following web interface logins on the device. ↗
- →Since root's password is the same as roleAdmin's password, a successful roleDiag login followed by SSH enablement leads to full root compromise. Monitor for unexpected SSH service state changes on TS-550 evo devices. ↗
- ·The hardcoded roleDiag credential is present in firmware versions prior to 2.4.0. Version 2.4.0 is claimed to mitigate the vulnerability, but this fix was NOT independently verified by Trustwave SpiderLabs. ↗
- ·The root account password on the TS-550 evo is identical to the roleAdmin account password, meaning compromise of roleAdmin (e.g., via the DES hash dump from tsaws.cgi) directly yields root access via SSH. ↗
- ·Password hashes returned by cmdWebGetConfiguration are in DES format and can be cracked offline to access authenticated portions of the application. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2014-01-26
Published