CVE-2019-13140

MEDIUM

Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 - Unauthenticated 3DES Key Extraction via JUCI ACL Misconfiguration

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13140. PoCs published by Gerard Fuguet.

AI-analyzed exploit summary This exploit leverages a JUCI ACL misconfiguration in Inteno IOPSYS Gateway to extract a 3DES key via JSON commands over WebSocket, which can then be used to decrypt a provisioning file containing sensitive information like SIP credentials.

Description

Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.

Exploits (1)

exploitdb WORKING POC

by Gerard Fuguet · textremotehardware

https://www.exploit-db.com/exploits/47390

View Code ZIP pw:eip

This exploit leverages a JUCI ACL misconfiguration in Inteno IOPSYS Gateway to extract a 3DES key via JSON commands over WebSocket, which can then be used to decrypt a provisioning file containing sensitive information like SIP credentials.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before

Auth required

Prerequisites: Access to the router's web interface · Valid credentials for the 'user' account · Provisioning file (.enc) from Adamo Telecom

MITRE ATT&CK

T1552 - Unsecured Credentials T1119 - Automated Collection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/47390

Third Party Advisory x_refsource_misc

https://twitter.com/GerardFuguet/status/1169298861782896642

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-Extraction-Improper-Access.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/docs/47397

Scores

CVSS v3 6.5

EPSS 0.0204

EPSS Percentile 78.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-552

Status published

Products (1)

intenogroup/eg200_firmware eg200-wu7p1u_adamo3.16.4-190226_1650

Published Sep 16, 2019

Tracked Since Feb 18, 2026