CVE-2015-5995 – This vulnerability allows remote attackers to b... (How to Fix)

Q: What is the severity of CVE-2015-5995?

CVE-2015-5995 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to bypass authentication on Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 routers by including 'admin' in an HTTP Cookie header. Attackers can gain administrative access without credentials. Users of these specific router models with vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows remote attackers to bypass authentication on Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 routers by including 'admin' in an HTTP Cookie header. Attackers can gain administrative access without credentials. Users of these specific router models with vulnerable firmware are affected.

💻 Affected Systems

Products:

Mediabridge Medialink MWN-WAPR300N
Tenda N3 Wireless N150

Versions: Mediabridge firmware 5.07.50, Tenda firmware versions unspecified but vulnerable

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web administration interface of these consumer routers

📦 What is this software?

Medialink Mwn Wapr300n Firmware by Mediabridge

View all CVEs affecting Medialink Mwn Wapr300n Firmware →

N3 Wireless N150 by Tenda

View all CVEs affecting N3 Wireless N150 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router configuration, network traffic interception, malware deployment, and use as attack platform

🟠

Likely Case

Unauthorized configuration changes, DNS hijacking, credential theft from connected devices

🟢

If Mitigated

Limited impact if routers are behind firewalls or not internet-facing

🌐 Internet-Facing: HIGH - Directly accessible routers can be compromised remotely without authentication

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to pivot through network

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required, no special tools needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version - check vendor for firmware updates

Vendor Advisory: https://www.kb.cert.org/vuls/id/630872

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates 2. Download latest firmware 3. Access router admin interface 4. Upload and apply firmware update 5. Reboot router

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router web interface

Change default IP range

all

Move router to non-standard subnet to reduce scan exposure

🧯 If You Can't Patch

Replace affected routers with supported models
Place routers behind firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Attempt to access router admin page with 'Cookie: admin' header using curl or browser extension

Check Version:

Check router web interface status page or use manufacturer-specific CLI commands

Verify Fix Applied:

Test authentication bypass no longer works after firmware update

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'admin' in Cookie header to router admin pages
Multiple failed login attempts followed by successful access

Network Indicators:

Unusual admin interface access from external IPs
Configuration changes from unauthorized sources

SIEM Query:

http.cookie contains "admin" AND dst_ip in [router_ips]

📊 Metadata

CVE ID: CVE-2015-5995

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-264

Published: December 31, 2015

Last Updated: April 12, 2025

🔗 References

https://www.kb.cert.org/vuls/id/630872 Third Party Advisory,US Government Resource
https://www.kb.cert.org/vuls/id/630872 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-5995, you might also want to check these: