Description
On Beijing Hanbang Hanbanggaoke devices, because user-controlled input is not sufficiently sanitized, sending a PUT request to /ISAPI/Security/users/1 allows an admin password change.
Exploits (1)
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blogs.securiteam.com/index.php/archives/3420
Scores
CVSS v3
7.5
EPSS
0.2018
EPSS Percentile
95.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (50)
hbgk/7204xr_firmware
hbgk/7208xr_firmware
hbgk/7216xr_firmware
hbgk/hb7004k_firmware
hbgk/hb7004kh_firmware
hbgk/hb7008kc_firmware
hbgk/hb7008kce_firmware
hbgk/hb7008kh_firmware
hbgk/hb7008khe_firmware
hbgk/hb7008t2_firmware
... and 40 more
Published
Sep 12, 2017
Tracked Since
Feb 18, 2026