CVE-2020-28093
📋 TL;DR
This CVE discloses that Tenda AC1200 (Model AC6) routers have hardcoded default passwords for multiple accounts including admin, support, user, and nobody. Anyone with network access to these devices can gain administrative control using the password '1234'. This affects all users of Tenda AC1200 (AC6) routers running vulnerable firmware.
💻 Affected Systems
- Tenda AC1200 (Model AC6)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the router, allowing them to intercept all network traffic, install malware, change DNS settings, create backdoors, and pivot to other devices on the network.
Likely Case
Unauthorized users gain administrative access to the router, enabling them to change network settings, monitor traffic, and potentially compromise connected devices.
If Mitigated
With proper network segmentation and access controls, the impact is limited to the router itself, though attackers could still disrupt network connectivity.
🎯 Exploit Status
Exploitation requires authentication but uses known credentials. Public GitHub repository demonstrates root access. Attackers only need network access to the router's management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not found in provided references
Restart Required: No
Instructions:
1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware. 3. Log into router admin panel. 4. Navigate to firmware upgrade section. 5. Upload and install new firmware.
🔧 Temporary Workarounds
Change Default Passwords
allManually change passwords for all accounts (admin, support, user, nobody) to strong, unique passwords.
Login to router web interface at 192.168.0.1 or 192.168.1.1 with admin/1234
Navigate to System Tools > Password Settings
Set new strong passwords for all accounts
Disable Remote Management
allPrevent external access to router management interface.
Login to router admin panel
Navigate to Advanced > System Tools > Remote Management
Disable remote management or restrict to specific IPs
🧯 If You Can't Patch
- Isolate vulnerable routers in separate network segments with strict firewall rules
- Implement network monitoring to detect unauthorized login attempts to router interfaces
🔍 How to Verify
Check if Vulnerable:
Attempt to log into router web interface at 192.168.0.1 or 192.168.1.1 using admin/1234, support/1234, user/1234, or nobody/1234 credentials.Check Version:
Login to router admin panel and check firmware version in System Status or About page.Verify Fix Applied:
Verify that default passwords no longer work and strong passwords are required for all accounts.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with default credentials
- Configuration changes from unknown IP addresses
- Unusual admin account activity
Network Indicators:
- HTTP/HTTPS requests to router management interface from unexpected sources
- DNS configuration changes
- Unusual outbound traffic patterns
SIEM Query:
source="router_logs" (event_type="login_success" AND (username="admin" OR username="support" OR username="user" OR username="nobody"))