Description
Multiple serious vulnerabilities have been found in ARRIS cable modems. Malicious users can exploit these vulnerabilities to gain privileges or inject arbitrary code.
Below is a complete list of vulnerabilities:
- Predictable technician password can be exploited remotely to gain technician privileges;
- Unknown vulnerability at web management interface can be exploited remotely to gain arbitrary user privileges;
- Unknown vulnerability at web management initerface can be exploited remotely via a specially designed pwd parameter to inject arbitrary script or HTML;
- Hardcoded administrator password can be exploited remotely from vectors related to web management interface, SSH, TELNET, SNMP to gain administrator privileges.
Technical details
Vulnerabilities (2, 3) related to adv_pwd_cgi.
Vulnerability (4) caused by hardcoded administrators password derived from serial number.
Original advisories
Related products
CVE list
- CVE-2015-7291 high
- CVE-2015-7290 warning
- CVE-2009-5149 warning
- CVE-2015-7289 critical
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com
Found an inaccuracy in the description of this vulnerability? Let us know!