Login Sign Up

CVE-2023-22906

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to gain root access to affected Hero Qubo HCD01_02 devices via TELNET. The devices have TELNET enabled by default with root privileges and no password. This affects all users of these specific IoT devices with the vulnerable firmware version.

💻 Affected Systems

Products:
  • Hero Qubo HCD01_02
Versions: V1.38_20220125 and likely earlier versions with same configuration
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with default TELNET configuration enabled. Physical access not required.

📦 What is this software?

Qubo Hcd01 Firmware by Heroelectronix

View all CVEs affecting Qubo Hcd01 Firmware →

Qubo Hcd02 Firmware by Heroelectronix

View all CVEs affecting Qubo Hcd02 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install malware, pivot to internal networks, exfiltrate data, or use device as botnet member.

🟠

Likely Case

Remote attackers gaining full control of device, modifying configurations, stealing data, or using device for DDoS attacks.

🟢

If Mitigated

No impact if TELNET is disabled or properly secured with authentication.

🌐 Internet-Facing: HIGH - Devices are often deployed with public IP addresses and TELNET is accessible remotely by default.
🏢 Internal Only: MEDIUM - Even internally, unauthenticated root access poses significant risk to network security.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple TELNET connection to device IP on port 23 provides root shell without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Contact vendor for updated firmware if available.

🔧 Temporary Workarounds

Disable TELNET service

linux

Permanently disable TELNET daemon on device

telnetd -l /bin/login -p 23

Block TELNET at firewall

linux

Block inbound TELNET connections at network perimeter

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with strict network segmentation
  • Implement network monitoring for TELNET connections to device IPs

🔍 How to Verify

Check if Vulnerable:

Attempt TELNET connection to device IP on port 23. If you get root shell without password, device is vulnerable.

Check Version:

Check device web interface or console for firmware version information

Verify Fix Applied:

Attempt TELNET connection after applying workarounds. Connection should be refused or require authentication.

📡 Detection & Monitoring

Log Indicators:

  • Failed TELNET authentication attempts
  • Successful TELNET connections from unexpected sources

Network Indicators:

  • Outbound connections from device to suspicious IPs
  • Unusual network traffic patterns from device

SIEM Query:

source_port=23 OR destination_port=23 AND (device_type="Hero Qubo" OR device_vendor="Hero")

📊 Metadata

CVE ID: CVE-2023-22906
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-306
Published: July 4, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22906, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)