CVE-2015-6401
published 2015-12-14CVE-2015-6401: Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.63%
93.8th percentile
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | epc3928_docsis_3.0_8x4_wireless_residential_gateway_with_embedded_digital_voice | — | — |
| cisco | epc3928_docsis_3.0_8x4_wireless_residential_gateway_with_embedded_digital_voice | — | — |
| cisco | epc3928_docsis_3.0_8x4_wireless_residential_gateway_with_embedded_digital_voice | — | — |
| cisco | wireless_residential_unauthorized | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system↗
- →Detect unauthenticated POST requests to /goform/ endpoints on the Cisco EPC3928 web interface (port 80) without a valid session cookie — specifically targeting ChannelsSelection, Docsis_log, Administration, WClientMACList, and Docsis_system. ↗
- →Alert on HTTP POST to /goform/Docsis_system containing CRLF injection sequences (%0d%0a) in the LanguageSelect parameter, indicative of HTTP response injection exploitation. ↗
- →Alert on POST to /goform/WClientMACList with an oversized h_sortWireless parameter (long repeated character string) as a DoS indicator. ↗
- →Alert on POST to /goform/ChannelsSelection with parameter SAHappyUpstreamChannel sent without authentication cookies/session, indicating unauthorized channel selection command execution. ↗
- →Alert on POST to /goform/Docsis_log with BtnClearLog=Clear+Log sent without authentication, indicating unauthorized log clearing. ↗
- ·The vulnerability affects Cisco EPC3928 devices running EDVA firmware versions 5.5.10, 5.5.11, and 5.7.1 only. No software patch was available at time of disclosure. ↗
- ·Cisco had not released software updates at time of advisory publication; the recommended interim mitigation was to restrict access to the web management panel from external networks. ↗
- ·HTTP response injection payload is stored in device memory and persists across all HTTP responses on port 80 until the device is rebooted. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xfj3-xvvf-2p8c: Cisco EPC3928 devices with EDVA 5
ghsa_unreviewed·2022-05-17
CVE-2015-6401 [HIGH] CWE-287 GHSA-xfj3-xvvf-2p8c: Cisco EPC3928 devices with EDVA 5
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
Cisco
Cisco Wireless Residential Unauthorized Command Vulnerability
vendor_cisco·2015-12-08·CVSS 6.4
CVE-2015-6401 [MEDIUM] CWE-287 Cisco Wireless Residential Unauthorized Command Vulnerability
Cisco Wireless Residential Unauthorized Command Vulnerability
A vulnerability with web interface access authentication of the Cisco EPC3928 Wireless Residential Gateway could allow an unauthenticated, remote attacker to issue a subset of commands as the administrator without authenticating to the device.
The vulnerability is due to lack of authentication required for certain administrative functions through the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the device. An exploit could allow the attacker to execute a subset of administrator functions without being authenticated.
Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at
Cisco
Cisco Wireless Residential Unauthorized Command Vulnerability
vendor_cisco
CVE-2015-6401 Cisco Wireless Residential Unauthorized Command Vulnerability
CVE-2015-6401: Cisco Wireless Residential Unauthorized Command Vulnerability
A vulnerability with web interface access authentication of the Cisco EPC3928 Wireless Residential Gateway could allow an unauthenticated, remote attacker to issue a subset of commands as the administrator without authenticating to the device. The vulnerability is due to lack of authentication required for certain administrative functions through the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the device. An exploit could allow the attacker to execute a subset of administrator functions without being authenticated. Cisco has not released software updates that address this vulnerability. There are no
CWE: CWE-287, CWE-287
Bug IDs: CSCux24941
No detection rules found.
No writeups or analysis indexed.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151208-cwrhttp://www.securitytracker.com/id/1034347https://www.exploit-db.com/exploits/39904/http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151208-cwrhttp://www.securitytracker.com/id/1034347https://www.exploit-db.com/exploits/39904/
2015-12-14
Published