CVE-2016-10308
CRITICALSiklu EtherHaul Firmware < 3.7.1 and 6.x < 6.9.0 - Use of Hard-coded Credentials
Title source: llmDescription
Siklu EtherHaul radios before 3.7.1 and 6.x before 6.9.0 have a built-in, hidden root account, with an unchangeable password that is the same across all devices. This account is accessible via both SSH and the device's web interface and grants access to the underlying embedded Linux OS on the device, allowing full control over it.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97243
Exploit, Third Party Advisory x_refsource_misc
http://blog.iancaling.com/post/145309944453
Scores
CVSS v3
9.8
EPSS
0.0294
EPSS Percentile
85.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (2)
siklu/etherhaul_firmware
6.0
siklu/etherhaul_firmware
< 3.7.0
Published
Mar 30, 2017
Tracked Since
Feb 18, 2026