CVE-2017-14942

CRITICAL NUCLEI

Intelbras WRN 150 - Authentication Bypass

Title source: nuclei
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-14942. PoCs published by Elber Tavares. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass vulnerability in Intelbras WRN 150 routers by downloading the configuration file via a crafted cookie header. It uses a simple HTTP GET request with a specific cookie to retrieve the router's configuration file without authentication.

Description

Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg containing an admin:language=pt cookie.

Exploits (1)

exploitdb WORKING POC
by Elber Tavares · pythonwebappshardware
https://www.exploit-db.com/exploits/42916

This exploit demonstrates an authentication bypass vulnerability in Intelbras WRN 150 routers by downloading the configuration file via a crafted cookie header. It uses a simple HTTP GET request with a specific cookie to retrieve the router's configuration file without authentication.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Intelbras Wireless N 150 Mbps - WRN 150
No auth needed
Prerequisites: Network access to the target router · Router must be using the default or vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Intelbras WRN 150 - Authentication Bypass
CRITICALVERIFIEDby ritikchaddha
Shodan: html:"WRN150"
FOFA: title="WRN150"

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42916/

Scores

CVSS v3 9.8
EPSS 0.6126
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-552
Status published
Products (1)
intelbras/wrn_150_firmware 1.0.1
Published Sep 30, 2017
Tracked Since Feb 18, 2026