cbcvebase.
CVE-2017-16886
published 2018-01-12

CVE-2017-16886: The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access…

PriorityP261high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.11%
93.5th percentile
The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services via CSRF can result in an unauthorized change of username or password of the administrator of the portal.

Affected

1 ranges
VendorProductVersion rangeFixed in
fiberhomelm53q1_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<ip>/xml_action.cgi?method=get&module=duster&file=admin
urlhttp://<ip>/xml_action.cgi?method=set&module=duster&file=admin
path/xml_action.cgi
  • Monitor for unauthenticated HTTP GET requests to /xml_action.cgi?method=get&module=duster&file=admin — this endpoint exposes admin credentials without authentication on FiberHome LM53Q1 devices.
  • Monitor for unauthenticated HTTP POST requests to /xml_action.cgi?method=set&module=duster&file=admin with Content-Type: application/xml — this is the CSRF/unauthorized SOAP call used to change the admin password.
  • The exploit targets FiberHome Mobile WIFI Device Model LM53Q1 firmware version VH519R05C01S38 specifically; fingerprint devices on the network by this version string.
  • The SOAP/XML payload for password change wraps the new password in XML tags and is sent with Content-Type: application/xml — alert on POST requests to /xml_action.cgi carrying an XML body targeting the 'admin' file module.
  • The portal uses SOAP-based web services; unauthorized access (CSRF) to these services can result in unauthorized change of username or password of the administrator.
  • ·The gateway IP is dynamically resolved from the attacking host's default route (/proc/net/route); the actual device IP will vary per deployment — the IOC URLs above use a placeholder <ip>.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.