cbcvebase.
CVE-2014-8656
published 2014-11-06

CVE-2014-8656: The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a default password of (1) admin for the…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.85%
95.3th percentile
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a default password of (1) admin for the admin account and (2) compalbn for the root account, which makes it easier for remote attackers to obtain access to certain sensitive information via unspecified vectors.

Affected

3 ranges
VendorProductVersion rangeFixed in
compal_broadband_networkscg6640e_wireless_gateway
compal_broadband_networksch664oe_wireless_gateway
compal_broadband_networksfirmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.0.1/xml/CmgwWirelessSecurity.xml
urlhttp://192.168.0.1/xml/DocsisConfigFile.xml
urlhttp://192.168.0.1/xml/CmgwBasicSetup.xml
urlhttp://192.168.0.1/basicDDNS.html
urlhttp://192.168.0.1/basicLanUsers.html
urlhttp://192.168.0.1:5000/rootDesc.xml
cookieuserData=root
urlhttp://192.168.0.1/wirelessChannelStatus.html
urlhttp://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c#
urlhttp://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0
urlhttp://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8
urlhttp://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1
urlhttp://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2
port5000
  • Unauthenticated access to sensitive XML endpoints (CmgwWirelessSecurity.xml, DocsisConfigFile.xml, CmgwBasicSetup.xml) indicates exploitation of the authorization bypass vulnerability.
  • Setting the 'userData' cookie to 'root' or 'admin' is the mechanism used to bypass authorization and reveal additional pages/info; monitor HTTP requests with this cookie value.
  • CSRF attack pattern: unauthenticated GET requests to setWirelessSecurity.html, setBasicDHCP1.html, or setAdvancedOptions.html with configuration parameters should be treated as suspicious.
  • Default credentials admin/admin and root/compalbn are hardcoded; detect successful logins using these credentials in authentication logs.
  • ·All IOCs are based on the default gateway IP 192.168.0.1; actual deployment IPs may differ if the LAN default has been changed.
  • ·Vulnerability confirmed only on firmware version CH6640-3.5.11.7-NOSH; other firmware versions may not be affected.
  • ·The UPnP endpoint on port 5000 (rootDesc.xml) is accessible without authentication and exposes device information; this port should be monitored or blocked at the network perimeter.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.