cbcvebase.
CVE-2017-14942
published 2017-09-30

CVE-2017-14942: Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for…

PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
60.86%
99.0th percentile
Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg containing an admin:language=pt cookie.

Affected

2 ranges
VendorProductVersion rangeFixed in
intelbraswrn_150_firmware
tendaf3_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/DownloadCfg/RouterCfm.cfg
path/cgi-bin/DownloadCfg/RouterCfm.cfg
  • Detect exploitation attempts by monitoring HTTP GET requests to /cgi-bin/DownloadCfg/RouterCfm.cfg, especially those carrying the 'admin:language' cookie header.
  • A successful exploit response will have Content-Type containing 'config/conf', HTTP status 200, and body containing both 'wl_' and '_passwd' strings — flag responses matching all three conditions.
  • Use Shodan/FOFA queries to identify exposed Intelbras WRN150 devices as potential targets: Shodan html:"WRN150", FOFA title="WRN150".
  • Reference exploit available at exploit-db for signature/rule development.
  • ·For the related Tenda N300 F3 variant (CVE-2020-35391), it is unclear whether a trailing '?' after the filename or unusual HTTP request headers are required to trigger the vulnerable response — the exact triggering condition is unconfirmed.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.