cbcvebase.
CVE-2017-3834
published 2017-04-06

CVE-2017-3834: A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.46%
90.2th percentile
A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an unauthenticated, remote attacker to take complete control of an affected device. The vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point. An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device. This vulnerability affects Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points that are running an 8.2.x release of Cisco Mobility Express Software prior to Release 8.2.111.0, regardless of whether the device is configured as a master, subordinate, or standalone access point. Release 8.2 was the first release of Cisco Mobility Express Software for next generation Cisco Aironet Access Points. Cisco Bug IDs: CSCva50691.

Affected

9 ranges
VendorProductVersion rangeFixed in
ciscoaironet_1830_series_and_1850_series_access_points_mobility_express_default_crede
ciscoaironet_access_point_firmware
ciscoaironet_access_point_firmware
ciscoaironet_access_point_firmware
ciscoaironet_access_point_firmware
ciscoaironet_access_point_firmware
ciscoaironet_access_point_firmware
ciscoaironet_access_point_firmware
ciscoaironet_access_point_firmware

Detection & IOCsextracted from sources · hover to see the quote

port22 (SSH)
  • Monitor for unauthenticated or anomalous SSH login attempts to Cisco Aironet 1830/1850 Series Access Points running Cisco Mobility Express Software 8.2.x prior to 8.2.111.0, particularly logins with elevated privileges using default credentials.
  • The vulnerability exists regardless of device role (master, subordinate, or standalone access point), so detection should cover all deployment modes of affected Mobility Express devices.
  • Scope detection to Cisco Mobility Express Software 8.2.x releases prior to 8.2.111.0, as Release 8.2 was the first release of Cisco Mobility Express Software for next generation Cisco Aironet Access Points.
  • ·The vulnerability is due to hardcoded/default credentials present in Cisco Mobility Express Software on affected devices; exploitation requires only layer 3 network connectivity to the device — no prior authentication needed.
  • ·There are no workarounds available for this vulnerability; the only remediation is upgrading to Cisco Mobility Express Software Release 8.2.111.0 or later.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.