cbcvebase.
CVE-2019-6814
published 2019-05-22

CVE-2019-6814: A CWE-287: Improper Authentication vulnerability exists in the NET55XX Encoder with firmware prior to version 2.1.9.7 which could cause impact to…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.65%
98.3th percentile
A CWE-287: Improper Authentication vulnerability exists in the NET55XX Encoder with firmware prior to version 2.1.9.7 which could cause impact to confidentiality, integrity, and availability when a remote attacker crafts a malicious request to the encoder webUI.

Affected

9 ranges
VendorProductVersion rangeFixed in
mozillafirefox>= 0 < 74.0+build3-0ubuntu0.16.04.174.0+build3-0ubuntu0.16.04.1
mozillafirefox>= 0 < 74.0+build3-0ubuntu0.18.04.174.0+build3-0ubuntu0.18.04.1
schneider-electricnet5500_firmware< 2.1.9.72.1.9.7
schneider-electricnet5501-i_firmware< 2.1.9.72.1.9.7
schneider-electricnet5501-xt_firmware< 2.1.9.72.1.9.7
schneider-electricnet5501_firmware< 2.1.9.72.1.9.7
schneider-electricnet5504_firmware< 2.1.9.72.1.9.7
schneider-electricnet5508_firmware< 2.1.9.72.1.9.7
schneider-electricnet5516_firmware< 2.1.9.72.1.9.7

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/webra.fcgi?network/ssh
cookielive_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647
port3702
  • Detect unauthenticated POST requests to /cgi-bin/webra.fcgi?network/ssh with Content-Type application/json — this is the authentication bypass endpoint used to enable SSH and change the root password.
  • Alert on HTTP requests to the NET55XX webUI bearing the forged cookie 'userid=admin; grpid=ADMIN; permission=2147483647' — this cookie is crafted by the attacker to bypass authentication without valid credentials.
  • Monitor for WS-Discovery Probe packets (UDP port 3702) targeting NET55XX devices — the exploit uses ONVIF WS-Discovery to enumerate vulnerable encoders before exploitation.
  • Alert on WS-Discovery Probe messages containing the ONVIF device type 'dp0:NetworkVideoTransmitter' over UDP/3702 — used by the exploit module during the check/enumeration phase.
  • After a successful exploit, watch for new SSH sessions (TCP/22) to NET55XX devices using the username 'root' — the module changes the root password and then connects via SSH to establish a session.
  • ·The vulnerability affects NET55XX Encoder firmware versions prior to 2.1.9.7 only; patched devices running 2.1.9.7 or later are not affected.
  • ·The exploit has been confirmed against specific NET55XX model variants; coverage may not extend to all hardware revisions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.5MEDIUM
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.