cbcvebase.
CVE-2024-25735
published 2024-03-27

CVE-2024-25735: An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext passwords via a SoftAP /device/config GET…

PriorityP187critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.62%
98.8th percentile
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext passwords via a SoftAP /device/config GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
wyrestormapollo_vx20_firmware< 1.3.581.3.58

Detection & IOCsextracted from sources · hover to see the quote

path/device/config
commandcurl -k https://192.168.x.x/device/config
sigma
detection: keywords: - '/device/config' condition: keywords
  • Detect unauthenticated HTTP GET requests to the /device/config endpoint on WyreStorm Apollo VX20 devices; a successful exploit returns a JSON body containing both '"password":' and '"softAp":' keys in a 200 OK response with Content-Type application/json.
  • Shodan queries 'ssl:"WyreStorm Apollo VX20"' and 'ssl:"wyrestorm apollo vx20"' can be used to identify internet-exposed vulnerable devices.
  • The exploit response contains a cleartext softAp password block; monitor for JSON responses from /device/config containing the pattern '{"password":' followed by 'router' as an indicator of successful credential disclosure.
  • Example leaked response snippet includes softAp credentials block; alert on HTTP responses containing '"softAp":{"password":' in body.
  • ·The vulnerability only affects WyreStorm Apollo VX20 firmware versions before 1.3.58; devices running 1.3.58 or later are not vulnerable.
  • ·The exploit uses verify=False (TLS certificate verification disabled), indicating the device uses HTTPS with a self-signed or untrusted certificate; detection rules should cover HTTPS traffic to this endpoint.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.