CVE-2018-10575
published 2018-04-30CVE-2018-10575: An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.67%
94.5th percentile
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | ap100_firmware | < 1.2.9.15 | 1.2.9.15 |
| watchguard | ap102_firmware | < 1.2.9.15 | 1.2.9.15 |
| watchguard | ap200_firmware | < 1.2.9.15 | 1.2.9.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP requests to /cgi-bin/luci/ with AUTH_USER and AUTH_PASS headers, which are non-standard headers used by the exploit to pass hardcoded backdoor credentials. ↗
- →Detect POST requests to /cgi-bin/luci/;{stok}/wgupload with a cookie containing 'filename=' pointing to paths like /tmp/payload or /www/cgi-bin/*.luci, indicating malicious file upload via the wgupload endpoint. ↗
- →Alert on HTTP GET requests to /cgi-bin/payload.luci, which is the attacker-uploaded Lua web shell being triggered for remote code execution. ↗
- →Monitor for the default backdoor credentials: username 'admin' with password '1234' being used against the WatchGuard AP web administration interface on port 443. ↗
- →The exploit targets MIPS big-endian (MIPSBE) architecture; uploaded payloads dropped to /tmp/payload on the device will be MIPSBE ELF binaries. ↗
- →Detect SSH login attempts using an unprivileged account with shell /bin/false on WatchGuard AP100/AP102/AP200 devices — successful authentication with this account indicates use of the hardcoded backdoor credential. ↗
- ·The exploit module also supports legitimate admin credentials, meaning detections based solely on credential values may produce false positives for authorized administrators. ↗
- ·The vulnerability affects firmware versions before 1.2.9.15 on WatchGuard AP100, AP102, and AP200; devices running 1.2.9.15 or later are not affected by the hardcoded SSH credential issue. ↗
- ·The wgupload file path and serial number are passed via cookie headers rather than POST body parameters; WAF/IDS rules inspecting only POST body will miss the malicious upload destination. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2018/May/12https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIyhttps://www.exploit-db.com/exploits/45409/https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixeshttp://seclists.org/fulldisclosure/2018/May/12https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIyhttps://www.exploit-db.com/exploits/45409/https://www.watchguard.com/wgrd-blog/new-firmware-available-ap100ap102ap200ap300-security-vulnerability-fixes
2018-04-30
Published