CVE-2020-28973
📋 TL;DR
The ABUS Secvest wireless alarm system FUAA50000 fails to properly authenticate requests to its HTTPS interface, allowing attackers to obtain sensitive information like usernames and passwords. This affects users of the FUAA50000 system version 3.01.17, potentially enabling attackers to reconfigure or disable alarm systems.
💻 Affected Systems
- ABUS Secvest wireless alarm system FUAA50000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to the alarm system, disable security features, extract all stored credentials, and potentially compromise the entire security infrastructure.
Likely Case
Attackers obtain administrative credentials and reconfigure or disable the alarm system, leaving premises unprotected.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated alarm system components only.
🎯 Exploit Status
Exploitation requires network access to the HTTPS interface but no authentication. The vulnerability allows extraction of sensitive configuration data including credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.01.18 or later
Vendor Advisory: https://www.abus.com/security-advisory
Restart Required: Yes
Instructions:
1. Log into the ABUS Secvest web interface. 2. Navigate to System > Firmware Update. 3. Upload and install firmware version 3.01.18 or later. 4. Reboot the system after installation completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate the alarm system from untrusted networks and restrict access to the HTTPS interface.
Access Control Lists
linuxImplement firewall rules to restrict access to the alarm system's management interface.
iptables -A INPUT -p tcp --dport 443 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Disable remote management features and only allow local access to the alarm system interface.
- Implement network monitoring and intrusion detection specifically for traffic to the alarm system's IP address and port 443.
🔍 How to Verify
Check if Vulnerable:
Check the firmware version in the web interface under System > Information. If version is 3.01.17, the system is vulnerable.Check Version:
curl -k https://alarm-system-ip/system/info | grep 'Firmware Version'Verify Fix Applied:
After updating, verify the firmware version shows 3.01.18 or later in System > Information.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to /system/config or /user/ endpoints
- Multiple failed login attempts followed by successful configuration changes
Network Indicators:
- Unusual HTTPS traffic patterns to the alarm system on port 443
- Requests to sensitive endpoints without proper authentication headers
SIEM Query:
source="alarm-system" AND (url_path="/system/config" OR url_path="/user/") AND http_status=200 AND auth_status="none"