CVE-2024-28875 – The LevelOne WBR-6012 router contains a hard-co... (How to Fix)

📋 TL;DR

The LevelOne WBR-6012 router contains a hard-coded backdoor credential '@m!t2K1' that grants admin access during the first 30 seconds after boot. Attackers can combine this with other vulnerabilities to force a reboot and bypass the time restriction. All users of affected WBR-6012 routers are vulnerable to unauthorized administrative access.

💻 Affected Systems

Products:

LevelOne WBR-6012

Versions: All versions prior to patched firmware

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability is in the firmware itself, not dependent on specific settings.

📦 What is this software?

Wbr 6012 Firmware by Level1

View all CVEs affecting Wbr 6012 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with administrative access, enabling network traffic interception, DNS hijacking, credential theft, and deployment of persistent malware.

🟠

Likely Case

Unauthorized administrative access leading to network configuration changes, service disruption, and potential lateral movement to connected devices.

🟢

If Mitigated

Limited impact if router is behind additional security controls, though local network compromise remains possible.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access, though the 30-second window makes timing challenging.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires timing (first 30 seconds after boot) or ability to force reboot via other vulnerabilities. The hard-coded credential is publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates
2. Download latest firmware
3. Access router admin interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Replace affected router with different model from different vendor
Implement strict network access controls and monitor for reboot events

🔍 How to Verify

Check if Vulnerable:

Check router model and firmware version. Attempt authentication with '@m!t2K1' within 30 seconds of reboot.

Check Version:

Check router web interface or use 'show version' via console if available

Verify Fix Applied:

Test authentication with '@m!t2K1' after applying firmware update - should no longer grant access.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts followed by successful login within 30 seconds of boot
Multiple reboot events in short timeframe
Authentication with unusual username patterns

Network Indicators:

HTTP POST requests to login endpoint with '@m!t2K1' credential
Unusual administrative access from unexpected IPs

SIEM Query:

source="router_logs" AND (event="authentication_success" AND user="*@m!t2K1*" OR event="reboot" AND count>1 within 5min)

📊 Metadata

CVE ID: CVE-2024-28875

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: October 30, 2024

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28875, you might also want to check these: