cbcvebase.
CVE-2017-6351
published 2017-03-06

CVE-2017-6351: The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode…

PriorityP262high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
7.12%
93.5th percentile
The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded manufacturer account. This account is not documented, nor is the DEBUG feature or the use of telnetd on port tcp/5885.

Affected

1 ranges
VendorProductVersion rangeFixed in
wepresentwipg-1500_firmware

Detection & IOCsextracted from sources · hover to see the quote

otherabarco
porttcp/5885
otherabarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::
otherroot:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::
processtelnetd
  • Monitor for inbound TCP connections to port 5885, which is the non-standard telnetd port activated when the WePresent WiPG-1500 is placed in DEBUG mode.
  • Alert on successful or attempted telnet authentication using the username 'abarco' on any network-accessible device, particularly on port 5885.
  • Detect presence of the hardcoded shadow hash for 'abarco' ($1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1) in firmware or filesystem images during threat hunting or device audits.
  • Look for the 'abarco' user entry in /etc/passwd with UID 1000 and GID 0 (root group), indicating the backdoor account is present on the device.
  • ·The backdoor telnetd on TCP/5885 is only activated when the device is explicitly placed in DEBUG mode; the port will not be open under normal operating conditions.
  • ·This vulnerability is a WONTFIX for the WiPG-1500 model as the product is no longer maintained; the vendor removed the 'abarco' account only on newer models.
  • ·Newer WePresent/Awind models may still expose telnetd in DEBUG mode (potentially with a different backdoor account such as 'r00t'), so DEBUG mode exposure is a broader risk class beyond just WiPG-1500.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.