CVE-2019-3950

CRITICAL

Arlo VMB3010/VMB4000/VMB3500/VMB4500/VMB5000 Firmware - Use of Hard-coded Credentials

Title source: llm

Description

Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://kb.arlo.com/000062274/Security-Advisory-for-Networking-Misconfiguration-and-Insufficient-UART-Protection-Mechanisms

Scores

CVSS v3 9.8

EPSS 0.0174

EPSS Percentile 74.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-798

Status published

Products (5)

arlo/vmb3010_firmware < 1.12.2.3_2762

arlo/vmb3500_firmware < 1.12.2.4_2773

arlo/vmb4000_firmware < 1.12.2.3_2762

arlo/vmb4500_firmware < 1.12.2.4_2773

arlo/vmb5000_firmware < 1.12.2.2_2824

Published Jul 09, 2019

Tracked Since Feb 18, 2026