CVE-2024-54750
📋 TL;DR
Ubiquiti U6-LR access points running firmware version 6.6.65 contain a hardcoded root password in the /etc/shadow file, allowing attackers to gain full administrative control. This affects organizations using these specific access points before initial setup configuration. Ubiquiti disputes this is a vulnerability, claiming the hardcoded credential should only exist before initial setup.
💻 Affected Systems
- Ubiquiti U6-LR
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent root access to access points, enabling network traffic interception, lateral movement to connected systems, and deployment of malware across the network.
Likely Case
Unauthorized administrative access to access points allowing configuration changes, network disruption, and credential harvesting from connected devices.
If Mitigated
Limited impact if access points are properly segmented and monitored, though root compromise remains a significant security breach.
🎯 Exploit Status
Exploitation requires network access to the device's management interface and knowledge of the hardcoded password.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None - Vendor disputes vulnerability
Restart Required: No
Instructions:
No official patch available. Follow workarounds below.
🔧 Temporary Workarounds
Change root password immediately after setup
linuxManually change the root password during initial device configuration to override the hardcoded credential.
passwd root
Disable root SSH access
linuxConfigure SSH to prevent root login entirely.
Edit /etc/ssh/sshd_config: PermitRootLogin no
service ssh restart
🧯 If You Can't Patch
- Segment access points on dedicated VLANs with strict firewall rules limiting management interface access
- Implement network monitoring for unusual authentication attempts or configuration changes to access points
🔍 How to Verify
Check if Vulnerable:
Check if /etc/shadow contains a known hardcoded password hash for root user. Requires shell access to device.Check Version:
ubnt-systool show version | grep firmwareVerify Fix Applied:
Verify root password has been changed by attempting to authenticate with the original hardcoded password (should fail).📡 Detection & Monitoring
Log Indicators:
- Successful root SSH logins from unexpected IP addresses
- Configuration changes to access points
Network Indicators:
- SSH connections to access point management interfaces from unauthorized sources
SIEM Query:
source="access_point_logs" event_type="authentication" user="root" result="success"