Login Sign Up

CVE-2018-16591

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2018-16591 allows unauthenticated attackers to change administrative passwords on FURUNO FELCOM 250 and 500 satellite communication devices. This affects all organizations using these devices without proper network segmentation or access controls.

💻 Affected Systems

Products:
  • FURUNO FELCOM 250
  • FURUNO FELCOM 500
Versions: All versions prior to patching
Operating Systems: Embedded system
Default Config Vulnerable: ⚠️ Yes
Notes: Devices with web interface exposed are vulnerable by default.

📦 What is this software?

Felcom 250 Firmware by Furuno

View all CVEs affecting Felcom 250 Firmware →

Felcom 500 Firmware by Furuno

View all CVEs affecting Felcom 500 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover, disruption of maritime communications, potential manipulation of critical navigation or safety systems.

🟠

Likely Case

Unauthorized administrative access leading to device configuration changes, data interception, or service disruption.

🟢

If Mitigated

Limited impact if devices are properly segmented and not internet-facing.

🌐 Internet-Facing: HIGH - Direct internet exposure allows remote exploitation without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit if network access exists.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST requests to vulnerable endpoints with no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with FURUNO for specific firmware versions

Vendor Advisory: https://www.furuno.com/en/security/

Restart Required: Yes

Instructions:

1. Contact FURUNO support for latest firmware. 2. Backup device configuration. 3. Apply firmware update via web interface or physical media. 4. Verify password change functionality requires authentication.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FELCOM devices from untrusted networks

Access Control Lists

linux

Restrict access to device management interfaces

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate devices
  • Monitor for unauthorized password change attempts in logs

🔍 How to Verify

Check if Vulnerable:

Attempt HTTP POST to /cgi-bin/sm_changepassword.cgi without authentication

Check Version:

Check firmware version via web interface or serial console

Verify Fix Applied:

Verify password change endpoints require authentication after update

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated POST requests to /cgi-bin/sm_changepassword.cgi
  • Password change events from unexpected IPs

Network Indicators:

  • HTTP POST to vulnerable endpoints without authentication headers

SIEM Query:

source="felcom" AND (url="/cgi-bin/sm_changepassword.cgi" OR url="/cgi-bin/sm_sms_changepasswd.cgi") AND NOT auth_token=*

📊 Metadata

CVE ID: CVE-2018-16591
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: September 10, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16591, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)