CVE-2019-13140

MEDIUM

Inteno EG200 - Info Disclosure

Title source: llm

Description

Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.

Exploits (1)

exploitdb WORKING POC

by Gerard Fuguet · textremotehardware

https://www.exploit-db.com/exploits/47390

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/47390

[Third Party Advisory] https://twitter.com/GerardFuguet/status/1169298861782896642

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-Extraction-Improper-Access.html

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/docs/47397

Scores

CVSS v3 6.5

EPSS 0.0116

EPSS Percentile 78.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-552

Status published

Products (1)

intenogroup/eg200_firmware eg200-wu7p1u_adamo3.16.4-190226_1650

Published Sep 16, 2019

Tracked Since Feb 18, 2026