Login Sign Up

CVE-2017-15304

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication on Airtame HDMI dongles by setting their own session ID cookie, enabling persistent access to the admin panel even after password changes. It affects all Airtame devices running firmware versions before 3.0.

💻 Affected Systems

Products:
  • Airtame HDMI dongle
Versions: All firmware versions before 3.0
Operating Systems: Embedded Linux on Airtame device
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the web panel's login.php component. All default configurations are affected.

📦 What is this software?

Hdmi Dongle Firmware by Airtame

View all CVEs affecting Hdmi Dongle Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Airtame device allowing attackers to maintain persistent admin access, potentially enabling further network attacks or device misuse.

🟠

Likely Case

Unauthorized access to the admin panel allowing configuration changes, device hijacking, or network reconnaissance.

🟢

If Mitigated

Limited impact if devices are isolated from untrusted networks and proper access controls are implemented.

🌐 Internet-Facing: HIGH - Devices exposed to the internet are directly vulnerable to remote exploitation.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only setting a custom PHPSESSID cookie header. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware 3.0 and later

Vendor Advisory: https://airtame.com/security/

Restart Required: Yes

Instructions:

1. Access Airtame admin panel. 2. Navigate to Settings > System Update. 3. Check for and install firmware version 3.0 or later. 4. Reboot the device after update completes.

🔧 Temporary Workarounds

Network isolation

all

Isolate Airtame devices from untrusted networks and restrict access to authorized IPs only.

Disable web panel

all

Disable the web administration interface if not required for operations.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Airtame devices from untrusted networks
  • Monitor for unauthorized access attempts and review admin panel access logs regularly

🔍 How to Verify

Check if Vulnerable:

Check firmware version in admin panel Settings > About. If version is below 3.0, device is vulnerable.

Check Version:

curl -s http://[airtame-ip]/api/v1/system/info | grep version

Verify Fix Applied:

Verify firmware version is 3.0 or higher in Settings > About. Test authentication bypass by attempting to set custom PHPSESSID cookie.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful access with custom session IDs
  • Admin panel access from unusual IP addresses

Network Indicators:

  • HTTP requests to /bin/login.php with custom PHPSESSID headers
  • Unusual admin panel traffic patterns

SIEM Query:

source="airtame.logs" AND (uri="/bin/login.php" AND cookie="PHPSESSID=*")

📊 Metadata

CVE ID: CVE-2017-15304
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-384
Published: October 15, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-15304, you might also want to check these:

CVE-2024-11317 10.0

CVE-2024-11317 is a session fixation vulnerability in ABB ASPECT, NEXUS, and MATRIX series products ...

Same vulnerability type (CWE-384)
CVE-2024-38513 10.0

This vulnerability in GoFiber's session middleware allows attackers to supply their own session_id, ...

Same vulnerability type (CWE-384)
CVE-2021-20151 10.0

This vulnerability allows session hijacking on Trendnet AC2600 routers by exploiting IP-based sessio...

Same vulnerability type (CWE-384)