cbcvebase.
CVE-2017-14243
published 2017-09-17

CVE-2017-14243: An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.79%
96.3th percentile
An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload.cgi, backupsettings.cgi, pppoe.cgi, resetrouter.cgi, and password.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
utstarwa3002g4_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/info.cgi
path/upload.cgi
path/backupsettings.cgi
path/pppoe.cgi
path/resetrouter.cgi
path/password.cgi
  • Detect unauthenticated HTTP GET/POST requests to any of the sensitive .cgi endpoints (info.cgi, upload.cgi, backupsettings.cgi, pppoe.cgi, resetrouter.cgi, password.cgi) on UTStar WA3002G4 devices. Legitimate access should require authentication; direct .cgi access without a prior authenticated session is indicative of exploitation.
  • Monitor HTTP responses from the device for cleartext credential disclosure (Admin, Support, and User passwords) embedded in HTML source, which would appear in the body of responses from password.cgi or info.cgi.
  • Alert on HTTP requests to resetrouter.cgi or upload.cgi originating from non-management network segments, as these endpoints allow unauthenticated router reset and firmware upload respectively.
  • ·The authentication bypass is specific to firmware version WA3002G4-0021.01; verify device firmware version before applying detections to avoid false positives on patched or different firmware variants.
  • ·The bypass technique relies on accessing .cgi equivalents of .html admin pages; detection rules should specifically target direct .cgi path access rather than .html paths, as .html access is the normal (authenticated) flow.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.