Login Sign Up

CVE-2018-15555

9.8 CRITICAL

📋 TL;DR

This vulnerability allows physical attackers to gain root access to Telus Actiontec WEB6000Q devices via exposed UART headers using default credentials. Attackers with physical access can bypass authentication and gain complete control of the device. This affects all users of Telus Actiontec WEB6000Q v1.1.02.22 devices.

💻 Affected Systems

Products:
  • Telus Actiontec WEB6000Q
Versions: v1.1.02.22
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration with enabled UART headers and hardcoded credentials.

📦 What is this software?

Web6000q Firmware by Actiontec

View all CVEs affecting Web6000q Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent malware, intercept all network traffic, pivot to internal networks, and use device as attack platform.

🟠

Likely Case

Physical attacker gains root shell access, modifies device configuration, installs backdoors, and potentially accesses connected devices on the network.

🟢

If Mitigated

With physical security controls, impact limited to device compromise without network propagation.

🌐 Internet-Facing: LOW (requires physical access to device)
🏢 Internal Only: HIGH (physical access to internal device leads to complete compromise)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires physical access to device UART headers and basic serial connection tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact Telus/Actiontec for firmware updates or replacement options.

🔧 Temporary Workarounds

Disable UART access

all

Physically disable or obscure UART headers on device PCB

Requires physical modification: Desolder or cover UART pins

Change root password

linux

Change default root password if device allows password modification

passwd root
Enter new secure password

🧯 If You Can't Patch

  • Implement strict physical security controls for device location
  • Replace affected devices with updated models if available

🔍 How to Verify

Check if Vulnerable:

Check device label for model WEB6000Q and version v1.1.02.22. Physically inspect for exposed UART headers.

Check Version:

Check device label or web interface for firmware version

Verify Fix Applied:

Attempt UART connection with serial adapter using root/admin credentials. Successful login indicates vulnerable.

📡 Detection & Monitoring

Log Indicators:

  • Serial console login attempts
  • Root login from unexpected source

Network Indicators:

  • Unusual outbound connections from device
  • Configuration changes without authorization

SIEM Query:

Device:Telus Actiontec AND Event:Authentication AND Result:Success AND User:root

📊 Metadata

CVE ID: CVE-2018-15555
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-662
Published: June 28, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-15555, you might also want to check these:

CVE-2024-32644 9.1

This critical vulnerability in Evmos blockchain allows attackers to mint arbitrary tokens by exploit...

Same vulnerability type (CWE-662)
CVE-2020-36208 7.8

This vulnerability in the Rust conquer-once crate allows thread crossing for non-Send but Sync types...

Same vulnerability type (CWE-662)
CVE-2020-36215 7.5

This vulnerability in the hashconsing Rust crate allows memory corruption due to missing Send and Sy...

Same vulnerability type (CWE-662)