CVE-2015-7926 – eWON industrial routers with firmware before 10... (How to Fix)

Q: What is the severity of CVE-2015-7926?

CVE-2015-7926 has a CVSS score of 9.9 (CRITICAL). eWON industrial routers with firmware before 10.1s0 lack role-based access control (RBAC) for I/O server information and status requests, allowing remote attackers to obtain sensitive device information via a specific URL. This affects organizations using eWON devices for industrial control system (ICS) connectivity. The vulnerability exposes internal network details and device status without authentication.

📋 TL;DR

eWON industrial routers with firmware before 10.1s0 lack role-based access control (RBAC) for I/O server information and status requests, allowing remote attackers to obtain sensitive device information via a specific URL. This affects organizations using eWON devices for industrial control system (ICS) connectivity. The vulnerability exposes internal network details and device status without authentication.

💻 Affected Systems

Products:

eWON industrial routers (Talk2M, eCatcher, Cosy)

Versions: All firmware versions before 10.1s0

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with I/O server functionality enabled. All default configurations are vulnerable.

📦 What is this software?

Ewon Firmware by Ewon

View all CVEs affecting Ewon Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full visibility into industrial control system networks, enabling reconnaissance for further attacks, potential data exfiltration, or disruption of industrial operations.

🟠

Likely Case

Unauthorized access to sensitive device information including network configurations, I/O server status, and potentially credentials, facilitating further attacks.

🟢

If Mitigated

Information disclosure limited to non-critical data if network segmentation and access controls are properly implemented.

🌐 Internet-Facing: HIGH - Directly accessible via URL without authentication, making internet-exposed devices immediately vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can exploit this to gather sensitive network information.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only accessing a specific URL. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1s0 or later

Vendor Advisory: http://ewon.biz/support/news/support/ewon-security-enhancement-7529-01

Restart Required: Yes

Instructions:

1. Download firmware 10.1s0 or later from eWON support portal. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Reboot device. 5. Verify firmware version.

🔧 Temporary Workarounds

Network segmentation

all

Isolate eWON devices from untrusted networks using firewalls

Access control lists

linux

Restrict access to eWON web interface to authorized IP addresses only

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate eWON devices from untrusted networks
Deploy web application firewall (WAF) to block unauthorized access to I/O server URLs

🔍 How to Verify

Check if Vulnerable:

Access the device web interface and check firmware version. If below 10.1s0, device is vulnerable.

Check Version:

ssh admin@device_ip 'cat /etc/version' or check via web interface System > About

Verify Fix Applied:

Verify firmware version is 10.1s0 or later via web interface or SSH. Test that I/O server information requires proper authentication.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to I/O server URLs
Multiple failed authentication attempts followed by successful I/O server access

Network Indicators:

Unusual HTTP GET requests to I/O server endpoints from unauthorized IPs
Traffic to eWON devices from unexpected sources

SIEM Query:

source="ewon_logs" AND (url="*io*" OR url="*status*") AND user="anonymous"

📊 Metadata

CVE ID: CVE-2015-7926

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-200

Published: December 23, 2015

Last Updated: April 12, 2025

🔗 References

http://ewon.biz/support/news/support/ewon-security-enhancement-7529-01 Vendor Advisory
http://packetstormsecurity.com/files/135069/eWON-XSS-CSRF-Session-Management-RBAC-Issues.html
http://seclists.org/fulldisclosure/2015/Dec/118
http://www.securityfocus.com/bid/79625
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03 Third Party Advisory,US Government Resource
http://ewon.biz/support/news/support/ewon-security-enhancement-7529-01 Vendor Advisory
http://packetstormsecurity.com/files/135069/eWON-XSS-CSRF-Session-Management-RBAC-Issues.html
http://seclists.org/fulldisclosure/2015/Dec/118
http://www.securityfocus.com/bid/79625
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-7926, you might also want to check these: