Source: cret@cert.org
The web administration interface on Amped Wireless R10000 devices with firmware 2.5.2.11 has a default password of admin for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.
Amped Wireless R10000 devices running firmware 2.5.2.11 are vulnerable to remote administrative takeover. The web administration interface uses a default password of 'admin' for the admin account, allowing attackers to gain full control of the device. This compromise can lead to network disruption, data theft, and further exploitation of connected devices.
Step 1: Network Access: The attacker must be on the same Local Area Network (LAN) as the vulnerable Amped Wireless R10000 device. Step 2: Web Interface Access: The attacker accesses the web administration interface of the device, typically through a web browser, by navigating to the device's IP address (e.g., http://192.168.1.1). Step 3: Authentication Attempt: The attacker enters the default credentials: username 'admin' and password 'admin' into the login form. Step 4: Successful Login: The device's authentication mechanism compares the provided credentials with the hardcoded default password. Since they match, the attacker is successfully authenticated. Step 5: Administrative Control: The attacker gains full administrative access to the device, allowing them to modify network settings, change the firmware, intercept network traffic, and potentially compromise other devices on the network.
The vulnerability stems from a fundamental design flaw: the device's web administration interface fails to enforce a strong, unique password during initial setup. The default password 'admin' is hardcoded and remains unchanged unless manually modified by the user. This lack of secure default configuration, combined with the device's exposure to a local network, creates a trivial attack vector. The web interface likely uses a simple authentication mechanism that directly compares the provided credentials against the stored default password without any rate limiting or account lockout features. The root cause is a failure to implement secure coding practices, specifically regarding default configurations and authentication security.
While no specific APT groups are directly linked to exploiting this vulnerability, it is highly likely that any attacker with basic skills could leverage it. This type of vulnerability is often targeted by opportunistic attackers seeking to gain initial access to a network. Not listed on CISA KEV.
Monitor network traffic for HTTP/HTTPS requests to the device's IP address, especially those targeting the web administration interface (typically port 80 or 443).
Analyze web server logs on the device (if logging is enabled) for successful login attempts using the username 'admin'.
Scan the network for Amped Wireless R10000 devices and identify those running firmware 2.5.2.11.
Monitor for changes to the device's configuration, such as modified DNS settings, firewall rules, or firmware updates, which could indicate compromise.
Immediately change the default password for the admin account to a strong, unique password.
Disable remote administration if not required.
Update the device's firmware to the latest version, which likely addresses this vulnerability (though specific versions are not mentioned in the CVE).
Segment the network to isolate the router from critical assets.
Implement network intrusion detection and prevention systems (IDS/IPS) to monitor for suspicious activity.
Regularly audit device configurations and security settings.