CVE-2017-16885
published 2018-01-12CVE-2017-16885: Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.45%
98.2th percentile
Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing Passwords, etc.) allows remote attackers to look for the information without authenticating. The information includes Version of device, Firmware ID, Connected users to device along their MAC Addresses, etc.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fiberhome | lm53q1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated HTTP GET to /xml_action.cgi?method=get&module=duster&file=admin retrieves plaintext admin credentials without any authentication — monitor for this request pattern on LM53Q1 devices. ↗
- →Unauthenticated HTTP POST to /xml_action.cgi?method=set&module=duster&file=admin with XML body allows remote password change — alert on unauthenticated POST requests to this endpoint. ↗
- →Content-Type: application/xml header is used in the unauthenticated password-change POST request — correlate with the /xml_action.cgi endpoint for detection. ↗
- →The exploit targets FiberHome LM53Q1 firmware version VH519R05C01S38 — use this version string to scope detection to vulnerable devices. ↗
- ·The gateway IP is dynamically resolved from the attacker's routing table (/proc/net/route), meaning the target IP is the LAN-side default gateway of the device — exploitation is typically limited to the local network segment. ↗
- ·The vulnerability affects the Portal on FiberHome LM53Q1 VH519R05C01S38 devices and allows unauthenticated access to device info including firmware ID, connected users, and MAC addresses. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-01-12
Published