CVE-2024-40113
📋 TL;DR
The Sitecom WLX-2006 Wall Mount Range Extender N300 v1.5 and earlier uses default administrative credentials that cannot be changed. This allows attackers to gain administrative access to the device, potentially compromising network security. All users of affected devices are vulnerable unless they have applied the vendor fix.
💻 Affected Systems
- Sitecom WLX-2006 Wall Mount Range Extender N300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control, reconfigure the device as a rogue access point, intercept all network traffic, deploy malware to connected devices, or pivot to attack other network segments.
Likely Case
Attackers change device settings to create backdoors, redirect traffic through malicious DNS servers, or use the device as part of a botnet for DDoS attacks.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the device itself, though attackers could still disrupt local wireless connectivity.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials (admin/admin) and network access to the device's web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.6 or later
Vendor Advisory: http://www.sitecomlearningcentre.com/products/wlx-2006v1001/wi-fi-range-extender-n300/downloads
Restart Required: Yes
Instructions:
1. Download firmware v1.6 or later from Sitecom website. 2. Log into device web interface. 3. Navigate to Administration > Firmware Upgrade. 4. Upload the new firmware file. 5. Wait for device to reboot automatically.
🔧 Temporary Workarounds
Network Segmentation
allIsolate the range extender on a separate VLAN with strict firewall rules to limit lateral movement.
Access Control Lists
allImplement IP-based restrictions to only allow administrative access from trusted management networks.
🧯 If You Can't Patch
- Replace the device with a model that supports proper credential management
- Disable the device entirely and use alternative wireless extension methods
🔍 How to Verify
Check if Vulnerable:
Attempt to log into the device web interface using admin/admin credentials. If successful, the device is vulnerable.Check Version:
Log into web interface and check System Status or About page for firmware version.Verify Fix Applied:
After updating to v1.6+, verify you can change administrative credentials and that old defaults no longer work.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with default credentials
- Configuration changes from unexpected IP addresses
Network Indicators:
- HTTP requests to device management interface from external IPs
- Unusual outbound traffic patterns from the range extender
SIEM Query:
source_ip="range_extender_ip" AND (event_type="login_success" AND username="admin") OR (event_type="config_change")