cbcvebase.
CVE-2015-6401
published 2015-12-14

CVE-2015-6401: Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.63%
93.8th percentile
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscoepc3928_docsis_3.0_8x4_wireless_residential_gateway_with_embedded_digital_voice
ciscoepc3928_docsis_3.0_8x4_wireless_residential_gateway_with_embedded_digital_voice
ciscoepc3928_docsis_3.0_8x4_wireless_residential_gateway_with_embedded_digital_voice
ciscowireless_residential_unauthorized

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /goform/ChannelsSelection
urlPOST /goform/Docsis_log
urlPOST /goform/Administration
urlPOST /goform/WClientMACList
urlPOST /goform/Docsis_system
commandcurl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system
cookieSet-Cookie: w00t
  • Detect unauthenticated POST requests to /goform/ endpoints on the Cisco EPC3928 web interface (port 80) without a valid session cookie — specifically targeting ChannelsSelection, Docsis_log, Administration, WClientMACList, and Docsis_system.
  • Alert on HTTP POST to /goform/Docsis_system containing CRLF injection sequences (%0d%0a) in the LanguageSelect parameter, indicative of HTTP response injection exploitation.
  • Alert on POST to /goform/WClientMACList with an oversized h_sortWireless parameter (long repeated character string) as a DoS indicator.
  • Alert on POST to /goform/ChannelsSelection with parameter SAHappyUpstreamChannel sent without authentication cookies/session, indicating unauthorized channel selection command execution.
  • Alert on POST to /goform/Docsis_log with BtnClearLog=Clear+Log sent without authentication, indicating unauthorized log clearing.
  • ·The vulnerability affects Cisco EPC3928 devices running EDVA firmware versions 5.5.10, 5.5.11, and 5.7.1 only. No software patch was available at time of disclosure.
  • ·Cisco had not released software updates at time of advisory publication; the recommended interim mitigation was to restrict access to the web management panel from external networks.
  • ·HTTP response injection payload is stored in device memory and persists across all HTTP responses on port 80 until the device is rebooted.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.