CVE-2023-43478
published 2023-09-20CVE-2023-43478: fake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, allows unauthenticated attackers to upload firmware images…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
17.42%
96.7th percentile
fake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, allows unauthenticated attackers to upload firmware images and configuration backups, which could allow them to alter the firmware or the configuration on the device, ultimately leading to code execution as root.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| telstra | arcadyan_lh1000_firmware | < 0.18.15r | 0.18.15r |
| telstra | smart_modem_gen_2 | < 0.18.15r | 0.18.15r |
Detection & IOCsextracted from sources · hover to see the quote
commandopenssl enc -d -aes-256-cbc -md MD5 -salt -in LH1000V1-backup.cfg -out dec.tgz -k '2&15u69A'↗
- →Monitor for unauthenticated POST requests to /fake_upload.cgi — legitimate firmware/config uploads should require authentication; unauthenticated multipart form-data POSTs to this endpoint are indicative of exploitation. ↗
- →Alert on any HTTP GET/access to /hninh987R47san82.htm from untrusted or unauthenticated sources, as this hidden page is the entry point for the unauthenticated upload form. ↗
- →Detect unexpected telnet (port 23) connections to the LH1000 device after a reboot, which may indicate a malicious configuration backup was uploaded enabling a root telnet shell. ↗
- →Look for the hardcoded encryption key '2&15u69A' in network traffic or files, which is used to encrypt/decrypt LH1000 configuration backups and indicates an attacker is crafting a malicious config. ↗
- →Inspect uploaded configuration backups for the presence of ARC_TELNETD_ENABLE=1, ARC_SYS_RDFlag=1, or ARC_SYS_MPTEST=1 in .glbcfg, which are used to enable a root telnet backdoor. ↗
- →Detect multipart/form-data POST requests to /fake_upload.cgi containing an 'httoken' field without a preceding authenticated session, as the token can be obtained unauthenticated via ArcBase._t() in JavaScript. ↗
- ·The hardcoded AES-256-CBC encryption key '2&15u69A' is used for ALL LH1000 configuration backups on affected firmware versions, meaning any attacker with a valid backup from any device can craft a malicious config for any other device. ↗
- ·Uploading a misconfigured backup could permanently brick the device beyond hardware factory reset recovery — exploitation should be performed with caution. ↗
- ·The login_fw.cgi key check is entirely bypassable — requests to fake_upload.cgi succeed even without the key, making the authentication gate ineffective. ↗
- ·The vulnerability is fixed in firmware version 0.18.15r; devices on earlier firmware remain fully exposed to unauthenticated config/firmware upload from the adjacent network. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x2v2-mj6c-wfp3: fake_upload
ghsa_unreviewed·2023-09-20
CVE-2023-43478 [CRITICAL] CWE-434 GHSA-x2v2-mj6c-wfp3: fake_upload
fake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, allows unauthenticated attackers to upload firmware images and configuration backups, which could allow them to alter the firmware or the configuration on the device, ultimately leading to code execution as root.
VulnCheck
telstra arcadyan_lh1000_firmware Unrestricted Upload of File with Dangerous Type
vulncheck·2023·CVSS 8.8
CVE-2023-43478 [HIGH] telstra arcadyan_lh1000_firmware Unrestricted Upload of File with Dangerous Type
telstra arcadyan_lh1000_firmware Unrestricted Upload of File with Dangerous Type
fake_upload.cgi on the Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, allows unauthenticated attackers to upload firmware images and configuration backups, which could allow them to alter the firmware or the configuration on the device, ultimately leading to code execution as root.
Affected: telstra arcadyan_lh1000_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
No detection rules found.
No public exploits indexed.
2023-09-20
Published
Exploited in the wild