cbcvebase.
CVE-2018-10575
published 2018-04-30

CVE-2018-10575: An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.67%
94.5th percentile
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.

Affected

3 ranges
VendorProductVersion rangeFixed in
watchguardap100_firmware< 1.2.9.151.2.9.15
watchguardap102_firmware< 1.2.9.151.2.9.15
watchguardap200_firmware< 1.2.9.151.2.9.15

Detection & IOCsextracted from sources · hover to see the quote

port443
path/cgi-bin/luci/
path/cgi-bin/luci/;{stok}/html/Status
path/cgi-bin/luci/;{stok}/wgupload
path/www/cgi-bin/payload.luci
path/tmp/payload
path/cgi-bin/payload.luci
cookiesysauth=<token>; serial=<serial>; filename=/tmp/payload; md5sum=fail
cookiesysauth=<token>; serial=<serial>; filename=/www/cgi-bin/payload.luci; md5sum=fail
command/bin/chmod +x /tmp/payload
command/tmp/payload
filenamepayload.luci
  • Look for HTTP requests to /cgi-bin/luci/ with AUTH_USER and AUTH_PASS headers, which are non-standard headers used by the exploit to pass hardcoded backdoor credentials.
  • Detect POST requests to /cgi-bin/luci/;{stok}/wgupload with a cookie containing 'filename=' pointing to paths like /tmp/payload or /www/cgi-bin/*.luci, indicating malicious file upload via the wgupload endpoint.
  • Alert on HTTP GET requests to /cgi-bin/payload.luci, which is the attacker-uploaded Lua web shell being triggered for remote code execution.
  • Monitor for the default backdoor credentials: username 'admin' with password '1234' being used against the WatchGuard AP web administration interface on port 443.
  • The exploit targets MIPS big-endian (MIPSBE) architecture; uploaded payloads dropped to /tmp/payload on the device will be MIPSBE ELF binaries.
  • Detect SSH login attempts using an unprivileged account with shell /bin/false on WatchGuard AP100/AP102/AP200 devices — successful authentication with this account indicates use of the hardcoded backdoor credential.
  • ·The exploit module also supports legitimate admin credentials, meaning detections based solely on credential values may produce false positives for authorized administrators.
  • ·The vulnerability affects firmware versions before 1.2.9.15 on WatchGuard AP100, AP102, and AP200; devices running 1.2.9.15 or later are not affected by the hardcoded SSH credential issue.
  • ·The wgupload file path and serial number are passed via cookie headers rather than POST body parameters; WAF/IDS rules inspecting only POST body will miss the malicious upload destination.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.