CVE-2018-15721
published 2018-12-20CVE-2018-15721: The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.82%
76.1th percentile
The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| logitech | harmony_hub_firmware | < 4.15.206 | 4.15.206 |
| logitech | logitech_harmony_hub | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -d "{\"cmd\":\"harmony.system?systeminfo\"}" -H "Origin: .myharmony.com" -H "Content-Type: application/json" "http://192.168.0.176:8088"↗
- →Detect XMPP authentication bypass (CVE-2018-15721): monitor for XMPP authentication requests that do NOT contain an 'oa' element, which leaves the identity variable uninitialized and causes the authenticate() function to return any supplied username, granting AUTH_YES. ↗
- →Detect use of hardcoded XMPP guest credentials: alert on XMPP SASL PLAIN authentication payloads containing the base64 strings 'AGd1ZXN0AGd1ZXN0' or 'Z3Vlc3QAZ3Vlc3QA' (both decode to guest:guest variants). ↗
- →Detect CVE-2018-15723 exploitation attempts: monitor HTTP POST requests to port 8088 on Harmony Hub devices that include a forged 'Origin' header matching '*.myharmony.com', especially with JSON body containing 'cmd' keys for application-level commands such as 'harmony.system?systeminfo'. ↗
- →Flag network traffic to/from Harmony Hub devices on port 8088 originating from external/untrusted network segments, as the local API is exposed and implicitly trusts requests with a crafted Origin header. ↗
- ·The vulnerability affects Logitech Harmony Hub firmware versions prior to 4.15.206. Devices running 4.15.206 or later are patched. Verify firmware version before applying detection rules to avoid false positives on patched devices. ↗
- ·The authentication bypass relies on the absence of an 'oa' element in the XMPP request; detection logic must inspect XMPP stanza content rather than just connection metadata. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2018-12-20
Published