CVE-2016-10372 – The Eir D1000 modem has a critical vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2016-10372?

CVE-2016-10372 has a CVSS score of 9.8 (CRITICAL). The Eir D1000 modem has a critical vulnerability in its TR-064 protocol implementation that allows remote attackers to execute arbitrary commands without authentication. Attackers can exploit this via TCP port 7547 to gain full control of the device, potentially compromising the entire network. This affects all users of the Eir D1000 modem with default or vulnerable configurations.

📋 TL;DR

The Eir D1000 modem has a critical vulnerability in its TR-064 protocol implementation that allows remote attackers to execute arbitrary commands without authentication. Attackers can exploit this via TCP port 7547 to gain full control of the device, potentially compromising the entire network. This affects all users of the Eir D1000 modem with default or vulnerable configurations.

💻 Affected Systems

Products:

Eir D1000 modem

Versions: All versions prior to patching

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the TR-064 protocol implementation which is enabled by default. The default Wi-Fi password is used as the administrative password, making exploitation easier.

📦 What is this software?

D1000 Modem Firmware by Eir

View all CVEs affecting D1000 Modem Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the modem allowing attackers to reconfigure the device, intercept all network traffic, install malware, and pivot to internal network devices.

🟠

Likely Case

Attackers gain administrative access to the modem, change DNS settings to redirect traffic, steal credentials, and potentially compromise connected devices.

🟢

If Mitigated

Limited to denial of service or temporary disruption if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via the internet-facing WAN interface on port 7547.

🏢 Internal Only: HIGH - Once inside the network, attackers can easily exploit this vulnerability to gain further access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward using publicly available scripts. Attackers can chain multiple steps: open WAN port 80, retrieve credentials via TR-064, then execute arbitrary commands using the NewNTPServer feature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates from Eir/ISP

Vendor Advisory: Contact Eir or your ISP for specific advisory

Restart Required: Yes

Instructions:

1. Contact your ISP (Eir) for firmware updates. 2. Apply the latest firmware patch. 3. Reboot the modem. 4. Change all default passwords including Wi-Fi and administrative credentials.

🔧 Temporary Workarounds

Block TR-064 port externally

linux

Block incoming connections to TCP port 7547 on the WAN interface

iptables -A INPUT -p tcp --dport 7547 -j DROP

Disable TR-064 protocol

all

Disable the TR-064 protocol if not required for ISP management

🧯 If You Can't Patch

Replace the vulnerable modem with a different model
Place the modem behind a firewall that blocks all incoming WAN connections except essential services

🔍 How to Verify

Check if Vulnerable:

Check if TCP port 7547 is open and accessible from the internet using nmap: nmap -p 7547 [public_ip]

Check Version:

Check firmware version via modem web interface at http://192.168.1.1 or via ISP management portal

Verify Fix Applied:

Verify port 7547 is no longer accessible from the internet and test if TR-064 commands are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual TR-064 protocol activity
Multiple failed authentication attempts on port 7547
Changes to NTP server settings

Network Indicators:

External connections to internal port 7547
Unusual outbound traffic from modem
DNS changes from modem

SIEM Query:

source_port=7547 OR dest_port=7547 AND (action=deny OR protocol=TR-064)

📊 Metadata

CVE ID: CVE-2016-10372

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-264

Published: May 16, 2017

Last Updated: April 20, 2025

🔗 References

https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/ Exploit,Third Party Advisory
https://ghostbin.com/paste/q2vq2
https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/ Exploit,Technical Description,Third Party Advisory
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/ Exploit,Third Party Advisory
https://ghostbin.com/paste/q2vq2
https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/ Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-10372, you might also want to check these: