CVE-2016-10372
published 2017-05-16CVE-2016-10372: The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as…
PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.90%
99.6th percentile
The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound TR-064 SOAP requests on TCP port 7547, specifically those containing the 'NewNTPServer' parameter, which is the injection vector for this CVE. ↗
- →Alert on unauthenticated TR-064 SOAP requests to TCP/7547 from WAN-side (external) IP addresses targeting Zyxel/Eir D1000 modems. ↗
- →Detect attempts to open WAN access to TCP port 80 via TR-064 commands, which may indicate an attacker staging further access after initial exploitation. ↗
- ·The exploit was tested on specific firmware versions; detection and patching efforts should prioritize devices running firmware up to and including the stated version. ↗
- ·The default login password on affected devices equals the Wi-Fi password, meaning successful exploitation of this CVE can directly expose Wi-Fi credentials. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84jm-8434-c983: The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as
ghsa_unreviewed·2022-05-17
CVE-2016-10372 [CRITICAL] GHSA-84jm-8434-c983: The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as
The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.
VulnCheck
Eir D1000 Modem TR-064 Remote Command Execution
vulncheck·2016·CVSS 9.8
CVE-2016-10372 [CRITICAL] Eir D1000 Modem TR-064 Remote Command Execution
Eir D1000 Modem TR-064 Remote Command Execution
The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.
Affected: eir d1000_modem_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://threatprotect.qualys.com/2016/12/14/remote-code-execution-attack-against-eircom-d1000-router/; https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_02B-3_Herwig_paper.pdf; https://www.researchgate.net/pu
No detection rules found.
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/https://ghostbin.com/paste/q2vq2https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/https://ghostbin.com/paste/q2vq2https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/
2017-05-16
Published
Exploited in the wild