Details of VAR-201706-1195

ID

VAR-201706-1195

TITLE

ARRIS VAP2500 Default Credentials Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-16-695

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability.The specific flaw exists within the firmware and filesystem of the ARRIS VAP2500. The firmware and filesystem contain hard-coded default credentials in clear text. An attacker can leverage this vulnerability to execute code under the context of root.

Trust: 0.7

sources: ZDI: ZDI-16-695

AFFECTED PRODUCTS

vendor:

arris

model:

vap2500

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-16-695

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-16-695
value:	HIGH
Trust: 0.7

ZDI:	ZDI-16-695
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7

sources: ZDI: ZDI-16-695

EXTERNAL IDS

db:	ZDI_CAN	id:	ZDI-CAN-3872	Trust: 0.7
db:	ZDI	id:	ZDI-16-695	Trust: 0.7

sources: ZDI: ZDI-16-695

CREDITS

Ricky "HeadlessZeke" Lawshae

Trust: 0.7

sources: ZDI: ZDI-16-695

SOURCES

db:

ZDI

id:

ZDI-16-695

LAST UPDATE DATE

2022-05-17T02:05:50.629000+00:00

SOURCES UPDATE DATE

db:

ZDI

id:

ZDI-16-695

date:

2017-06-26T00:00:00

SOURCES RELEASE DATE

db:

ZDI

id:

ZDI-16-695

date:

2017-06-26T00:00:00