cbcvebase.
CVE-2018-20377
published 2018-12-23

CVE-2018-20377: Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
7.72%
93.9th percentile
Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.

Affected

4 ranges
VendorProductVersion rangeFixed in
orangearv7519rw22_livebox_2.1_firmware
orangearv7519rw22_livebox_2.1_firmware
orangearv7519rw22_livebox_2.1_firmware
orangearv7519rw22_livebox_2.1_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/get_getnetworkconf.cgi
port8080
snort
alert http1 $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:3; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, cve CVE_2018_20377, deployment Perimeter, signature_severity Major, updated_at 2024_04_04, reviewed_at 2024_02_20;)
  • Exploit requests target GET /get_getnetworkconf.cgi HTTP/1.1 on port 8080 with no Referer header present — the absence of a Referer header is a key discriminator for automated/scripted exploitation vs. browser-originated requests.
  • Successful exploitation leaks Wi-Fi credentials in the response; follow-on full device compromise is likely if the admin password equals the Wi-Fi password or retains the default 'admin' value.
  • The Emerging Threats rule (sid:2029091) is classified as trojan-activity with Perimeter deployment, indicating this endpoint should be monitored at the network boundary for inbound exploitation attempts.
  • ·Vulnerability is confirmed on a specific firmware/hardware combination; defenders should verify device version before assuming exposure.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.