CVE-2016-10305
CRITICALGotrango Apex Plus Firmware < 3.2.0 - Hard-coded Credentials
Title source: ruleDescription
Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPlus <= 3.2.0, Giga <= 2.6.1, GigaLynx < 2.0, GigaOrion < 2.0, GigaPlus <= 3.2.3, GigaPro <= 1.4.1, StrataLink < 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
http://blog.iancaling.com/post/153011925478
Scores
CVSS v3
9.8
EPSS
0.0169
EPSS Percentile
74.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (11)
gotrango/apex_firmware
< 2.1.1
gotrango/apex_lynx_firmware
< 1.2.3
gotrango/apex_orion_firmware
< 1.2.3
gotrango/apex_plus_firmware
< 3.2.0
gotrango/giga_firmware
< 2.6.1
gotrango/giga_lynx_firmware
< 1.2.3
gotrango/giga_orion_firmware
< 1.2.3
gotrango/giga_plus_firmware
< 3.2.3
gotrango/giga_pro_firmware
< 1.4.1
gotrango/stratalink_firmware
< 2.2.0
... and 1 more
Published
Mar 30, 2017
Tracked Since
Feb 18, 2026