cbcvebase.
CVE-2017-16887
published 2018-01-12

CVE-2017-16887: The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access…

PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.63%
98.3th percentile
The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services can result in disclosure of the WLAN key/password.

Affected

1 ranges
VendorProductVersion rangeFixed in
fiberhomelm53q1_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<ip>/xml_action.cgi?method=get&module=duster&file=admin
urlhttp://<ip>/xml_action.cgi?method=set&module=duster&file=admin
path/xml_action.cgi
  • Monitor for unauthenticated HTTP GET requests to /xml_action.cgi?method=get&module=duster&file=admin — this endpoint exposes admin credentials without authentication on FiberHome LM53Q1 devices.
  • Monitor for unauthenticated HTTP POST requests to /xml_action.cgi?method=set&module=duster&file=admin with Content-Type: application/xml — this is the unauthorized admin password change endpoint.
  • The exploit reads the default gateway from /proc/net/route to auto-discover the device IP, indicating the attacker is on the same local network segment.
  • Unauthorized access to SOAP/XML web services on the portal can disclose WLAN key/password; alert on unauthenticated access to xml_action.cgi endpoints.
  • ·The vulnerable device is specifically FiberHome Mobile WIFI Device Model LM53Q1 firmware version VH519R05C01S38; detections should be scoped to this model/version.
  • ·The exploit targets the device's gateway IP discovered from the attacker's local routing table, meaning exploitation is limited to hosts on the same local network as the device.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.