CVE-2018-6401 – Meross MSS110 smart plug devices contain a hidd... (How to Fix)

Q: What is the severity of CVE-2018-6401?

CVE-2018-6401 has a CVSS score of 9.8 (CRITICAL). Meross MSS110 smart plug devices contain a hidden TELNET service with an undocumented admin account that has a blank password. This allows attackers to gain full administrative access to the device. All users of affected Meross MSS110 devices are vulnerable.

📋 TL;DR

Meross MSS110 smart plug devices contain a hidden TELNET service with an undocumented admin account that has a blank password. This allows attackers to gain full administrative access to the device. All users of affected Meross MSS110 devices are vulnerable.

💻 Affected Systems

Products:

Meross MSS110 Smart Wi-Fi Plug Mini

Versions: All versions before 1.1.24

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The TELNET service runs on port 23 by default and is enabled out-of-the-box.

📦 What is this software?

Mss110 Firmware by Meross

View all CVEs affecting Mss110 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, pivot to internal networks, or use devices as botnet nodes for DDoS attacks.

🟠

Likely Case

Attackers gain administrative access to smart plugs, enabling them to control power states, monitor network traffic, or use devices as entry points to home/office networks.

🟢

If Mitigated

Limited impact if devices are isolated on separate VLANs with strict firewall rules blocking TELNET access.

🌐 Internet-Facing: HIGH - Devices exposed to internet are trivially exploitable via automated scanning for open TELNET ports.

🏢 Internal Only: HIGH - Even internally, any attacker on the local network can exploit this vulnerability easily.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only TELNET client and knowledge of the undocumented admin account with blank password.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.24 and later

Vendor Advisory: https://www.meross.com/ (no specific advisory found)

Restart Required: Yes

Instructions:

1. Open Meross app 2. Check for firmware updates 3. Apply update to version 1.1.24 or later 4. Device will restart automatically

🔧 Temporary Workarounds

Block TELNET access

linux

Configure firewall to block inbound TELNET connections to affected devices

iptables -A INPUT -p tcp --dport 23 -j DROP

Disable TELNET service

all

If device allows, disable TELNET service via configuration

🧯 If You Can't Patch

Isolate devices on separate VLAN with strict firewall rules
Implement network segmentation to prevent lateral movement from compromised devices

🔍 How to Verify

Check if Vulnerable:

Attempt TELNET connection to device port 23 and try logging in with admin account and blank password

Check Version:

Check firmware version in Meross mobile app under device settings

Verify Fix Applied:

After update, TELNET connection should be refused or require authentication

📡 Detection & Monitoring

Log Indicators:

Failed TELNET authentication attempts
Successful TELNET logins from unexpected sources

Network Indicators:

TELNET traffic to port 23 on IoT devices
Unusual outbound connections from IoT devices

SIEM Query:

source_port=23 OR dest_port=23 AND (event_type="authentication" OR event_type="connection")

📊 Metadata

CVE ID: CVE-2018-6401

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: May 2, 2018

Last Updated: November 21, 2024

🔗 References

https://garrettmiller.github.io/meross-mss110-vuln/ Exploit,Third Party Advisory
https://garrettmiller.github.io/meross-mss110-vuln/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-6401, you might also want to check these: