CVE-2018-10544 – Meross MSS110 smart plugs contain an unauthenti... (How to Fix)

Q: What is the severity of CVE-2018-10544?

CVE-2018-10544 has a CVSS score of 9.8 (CRITICAL). Meross MSS110 smart plugs contain an unauthenticated administrative interface at admin.htm, allowing attackers to gain full administrative control without credentials. This affects all users of MSS110 devices running firmware through version 1.1.24.

📋 TL;DR

Meross MSS110 smart plugs contain an unauthenticated administrative interface at admin.htm, allowing attackers to gain full administrative control without credentials. This affects all users of MSS110 devices running firmware through version 1.1.24.

💻 Affected Systems

Products:

Meross MSS110 Smart Wi-Fi Plug Mini

Versions: through 1.1.24

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Mss110 Firmware by Meross

View all CVEs affecting Mss110 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to reconfigure device settings, intercept network traffic, or use the device as a foothold for lateral movement within the network.

🟠

Likely Case

Attackers gain administrative access to smart plugs, potentially enabling them to control power states, monitor energy usage, or access other network resources.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the smart plug device itself without network lateral movement.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly attacked without authentication.

🏢 Internal Only: MEDIUM - Requires attacker to have internal network access, but still provides unauthenticated administrative control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access to the admin.htm page. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider replacing affected devices or implementing network-level controls.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate smart plug devices on separate VLAN or network segment with restricted access

Firewall Rules

all

Block external access to smart plug web interfaces and restrict internal access

🧯 If You Can't Patch

Remove devices from internet-facing networks and place behind firewalls
Monitor network traffic to/from smart plug devices for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Access http://[device-ip]/admin.htm in browser. If accessible without authentication, device is vulnerable.

Check Version:

Check device firmware version via Meross app or web interface

Verify Fix Applied:

Check if admin.htm page requires authentication or returns 404/403 error

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to admin.htm page
Multiple failed authentication attempts followed by successful admin access

Network Indicators:

HTTP GET requests to /admin.htm from unauthorized sources
Unusual traffic patterns to smart plug devices

SIEM Query:

source_ip=* dest_ip=[device_ip] uri_path="/admin.htm"

📊 Metadata

CVE ID: CVE-2018-10544

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: May 2, 2018

Last Updated: November 21, 2024

🔗 References

https://garrettmiller.github.io/meross-mss110-vuln/ Exploit,Third Party Advisory
https://garrettmiller.github.io/meross-mss110-vuln/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10544, you might also want to check these: