Login Sign Up

CVE-2017-16523

9.8 CRITICAL

📋 TL;DR

This vulnerability involves hardcoded credentials (username: zyad1234, password: zyad1234) with root-equivalent access on MitraStar DSL routers. Attackers can gain full administrative control over affected devices. Organizations and home users with these specific router models are affected.

💻 Affected Systems

Products:
  • MitraStar GPT-2541GNAC (HGU)
  • DSL-100HN-T1
Versions: GPT-2541GNAC: 1.00(VNJ0)b1, DSL-100HN-T1: ES_113WJY0b16
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: The zyad1234 account is undocumented but present with root privileges by default.

📦 What is this software?

Dsl 100hn T1 Firmware by Mitrastar

View all CVEs affecting Dsl 100hn T1 Firmware →

Gpt 2541gnac Firmware by Mitrastar

View all CVEs affecting Gpt 2541gnac Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, or disable internet connectivity.

🟠

Likely Case

Unauthorized administrative access leading to network monitoring, DNS hijacking, or device configuration changes.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and credential rotation policies.

🌐 Internet-Facing: HIGH - These are internet-facing routers, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - If compromised, attackers could pivot to internal networks from the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only knowledge of the hardcoded credentials. Public exploit code demonstrates privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Check vendor website for firmware updates and apply if available.

🔧 Temporary Workarounds

Change Default Credentials

all

Change the password for the zyad1234 account immediately if it cannot be disabled.

Login via SSH/Telnet/web interface and change password using device administration tools

Disable Remote Management

all

Disable WAN-side administrative access to prevent external exploitation.

Access router admin interface → Security/Remote Management → Disable remote access

🧯 If You Can't Patch

  • Replace affected routers with models from vendors that provide security updates
  • Segment router management to isolated VLAN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Attempt to SSH/Telnet to router using credentials zyad1234:zyad1234. If login succeeds, device is vulnerable.

Check Version:

Check router web interface or use 'cat /proc/version' via SSH if accessible

Verify Fix Applied:

Verify new credentials work and old credentials fail. Check that remote management is disabled.

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts followed by successful login as zyad1234
  • Unusual configuration changes from zyad1234 account

Network Indicators:

  • Unexpected SSH/Telnet connections to router management interface
  • Traffic patterns suggesting DNS hijacking or MITM

SIEM Query:

source="router_logs" AND (user="zyad1234" OR auth_failure AND user="*")

📊 Metadata

CVE ID: CVE-2017-16523
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 3, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON