Login Sign Up

CVE-2018-10578

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass password validation on WatchGuard AP series access points, enabling unauthorized password changes. Affected devices include AP100, AP102, AP200 with firmware before 1.2.9.15, and AP300 with firmware before 2.0.0.10.

💻 Affected Systems

Products:
  • WatchGuard AP100
  • WatchGuard AP102
  • WatchGuard AP200
  • WatchGuard AP300
Versions: AP100/AP102/AP200: firmware before 1.2.9.15; AP300: firmware before 2.0.0.10
Operating Systems: WatchGuard proprietary firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All affected devices with default configurations are vulnerable. The change password functionality is typically accessible to authenticated users.

📦 What is this software?

Ap100 Firmware by Watchguard

View all CVEs affecting Ap100 Firmware →

Ap102 Firmware by Watchguard

View all CVEs affecting Ap102 Firmware →

Ap200 Firmware by Watchguard

View all CVEs affecting Ap200 Firmware →

Ap300 Firmware by Watchguard

View all CVEs affecting Ap300 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to change admin password, gain persistent access, and pivot to internal networks.

🟠

Likely Case

Unauthorized administrative access to the access point, enabling network configuration changes and traffic interception.

🟢

If Mitigated

Limited impact if strong network segmentation and monitoring are in place, though device control may still be lost.

🌐 Internet-Facing: HIGH - Access points are often internet-facing and this vulnerability requires no authentication.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain administrative privileges on the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the change password interface, which typically requires some level of authentication. The vulnerability is in the validation logic of the old password field.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AP100/AP102/AP200: 1.2.9.15 or later; AP300: 2.0.0.10 or later

Vendor Advisory: http://seclists.org/fulldisclosure/2018/May/12

Restart Required: Yes

Instructions:

1. Log into WatchGuard support portal. 2. Download appropriate firmware version for your device. 3. Upload firmware via device web interface. 4. Reboot device after installation completes.

🔧 Temporary Workarounds

Disable web management interface

all

Disable HTTP/HTTPS management access to reduce attack surface

Network segmentation

all

Place access points in isolated network segments with strict firewall rules

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the management interface
  • Enable detailed logging and monitoring for password change attempts and unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > Status > Firmware Version

Check Version:

No CLI command available; check via web interface or SSH to device if enabled

Verify Fix Applied:

Verify firmware version is 1.2.9.15 or later for AP100/AP102/AP200, or 2.0.0.10 or later for AP300

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed password change attempts
  • Successful password changes from unusual IP addresses
  • Authentication logs showing admin password changes

Network Indicators:

  • HTTP POST requests to /cgi-bin/change_password.cgi or similar endpoints
  • Unusual management interface access patterns

SIEM Query:

source="watchguard" AND (event_type="password_change" OR uri_path="*change_password*")

📊 Metadata

CVE ID: CVE-2018-10578
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: May 2, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10578, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)