CVE-2017-12574
📋 TL;DR
CVE-2017-12574 is a critical authentication bypass vulnerability affecting PLANEX CS-W50HD wireless access points. Attackers can gain complete administrative control using hardcoded credentials 'supervisor:dangerous' that cannot be modified or removed. All devices running firmware versions before 030720 are vulnerable.
💻 Affected Systems
- PLANEX CS-W50HD Wireless Access Point
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the wireless access point allowing attackers to reconfigure network settings, intercept traffic, deploy malware, or use the device as a pivot point into the internal network.
Likely Case
Unauthorized administrative access leading to network configuration changes, traffic monitoring, and potential lateral movement to connected systems.
If Mitigated
Limited impact if device is isolated in a segmented network with strict firewall rules and monitoring, though credentials remain exposed.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded credentials and access to the web interface. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 030720 or later
Vendor Advisory: http://seclists.org/fulldisclosure/2018/Aug/25
Restart Required: Yes
Instructions:
1. Download firmware version 030720 or later from PLANEX website. 2. Log into device web interface. 3. Navigate to firmware update section. 4. Upload and apply new firmware. 5. Reboot device after update completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate vulnerable devices in separate VLAN with strict firewall rules limiting access to management interface.
Access Control Lists
allImplement IP-based restrictions to only allow trusted management stations to access the web interface.
🧯 If You Can't Patch
- Replace vulnerable devices with updated models or different vendors
- Disable web management interface entirely and use only console/SSH if available
🔍 How to Verify
Check if Vulnerable:
Attempt to log into web interface using credentials 'supervisor:dangerous'. If successful, device is vulnerable.Check Version:
Log into web interface and check firmware version in system information page.Verify Fix Applied:
After firmware update, attempt to log in with 'supervisor:dangerous' credentials. Access should be denied.📡 Detection & Monitoring
Log Indicators:
- Failed login attempts followed by successful login with 'supervisor' username
- Configuration changes from unexpected IP addresses
Network Indicators:
- HTTP requests to management interface from unauthorized IPs
- Unusual configuration changes via web interface
SIEM Query:
source="firewall.log" AND (dest_ip="device_ip" AND dest_port=80 OR dest_port=443) AND (user="supervisor" OR auth_failure THEN success)