CVE-2016-10307
CRITICALTrango ApexLynx 2.0, ApexOrion 2.0, GigaLynx 2.0, GigaOrion 2.0, and StrataLink < 3.0 - Use of Hard-coded Credentials
Title source: llmDescription
Trango ApexLynx 2.0, ApexOrion 2.0, GigaLynx 2.0, GigaOrion 2.0, and StrataLink 3.0 devices have a built-in, hidden root account, with a default password for which the MD5 hash value is public (but the cleartext value is perhaps not yet public). This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
http://blog.iancaling.com/post/153011925478
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97242
Scores
CVSS v3
9.8
EPSS
0.0241
EPSS Percentile
82.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (5)
gotrango/apex_lynx_firmware
2.0
gotrango/apex_orion_firmware
2.0
gotrango/giga_lynx_firmware
2.0
gotrango/giga_orion_firmware
2.0
gotrango/stratalink_firmware
< 3.0
Published
Mar 30, 2017
Tracked Since
Feb 18, 2026