Login Sign Up

CVE-2017-16885

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to access sensitive information from FiberHome LM53Q1 routers without authentication. Attackers can retrieve device version, firmware ID, connected users' MAC addresses, and potentially change passwords. Anyone using the affected router model with the vulnerable firmware is at risk.

💻 Affected Systems

Products:
  • FiberHome LM53Q1
Versions: VH519R05C01S38
Operating Systems: Embedded router OS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web portal interface specifically. Other firmware versions may also be vulnerable but not confirmed.

📦 What is this software?

Lm53q1 Firmware by Fiberhome

View all CVEs affecting Lm53q1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to change passwords, monitor all connected users, and potentially pivot to internal network attacks.

🟠

Likely Case

Information disclosure of connected devices and network configuration, enabling targeted attacks against users.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Directly accessible from internet without authentication required.
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or malware on network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests to specific endpoints bypass authentication. Exploit code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check with FiberHome for firmware updates or consider device replacement.

🔧 Temporary Workarounds

Disable WAN access to web portal

linux

Configure firewall to block external access to router web interface (typically port 80/443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Network segmentation

all

Isolate router management interface to separate VLAN with restricted access

🧯 If You Can't Patch

  • Replace affected devices with patched or different vendor equipment
  • Implement strict network monitoring for unauthorized access attempts to router management interface

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[router-ip]/api/v1/system/info without authentication. If it returns device information, it's vulnerable.

Check Version:

Check router web interface or use curl: curl -s http://[router-ip]/api/v1/system/info | grep version

Verify Fix Applied:

Verify that unauthenticated requests to /api/v1/ endpoints return authentication errors or are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access to /api/v1/ endpoints
  • Multiple failed authentication attempts followed by successful API calls

Network Indicators:

  • HTTP GET requests to router IP on port 80/443 with /api/v1/ paths from external IPs

SIEM Query:

source="router_logs" AND (url_path="/api/v1/system/info" OR url_path="/api/v1/user/list") AND auth_status="none"

📊 Metadata

CVE ID: CVE-2017-16885
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-732
Published: January 12, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-16885, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)