CVE-2016-10372

CRITICAL EXPLOITED

EIR D1000 Modem Firmware - Access Control

Title source: rule

Description

The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.

Exploits (1)

metasploit WORKING POC NORMAL

by Kenzo · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/tr064_ntpserver_cmdinject.rb

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/

[Various Sources] https://ghostbin.com/paste/q2vq2

[Exploit, Technical Description, Third Party Advisory] https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/

Scores

CVSS v3 9.8

EPSS 0.9298

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-01-01

CWE

CWE-264

Status published

Products (1)

eir/d1000_modem_firmware

Published May 16, 2017

Tracked Since Feb 18, 2026