CVE-2019-7579

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. An ability exists for an unauthenticated user to browse a confidential ui/1.0.99.187766/dynamic/js/setup.js.localized file on the router's webserver, allowing for an attacker to identify possible passwords that the system uses to set the default guest network password. An attacker can use this list of 30 words along with a random 2 digit number to brute force their access onto a router's guest network.

Se descubrió un problema en los dispositivos Linksys WRT1900ACS 1.0.3.187766. Existe la posibilidad de que un usuario no identificado explore un archivo confidencial ui / 1.0.99.187766 / dynamic / js / setup.js.localized en el servidor web del router, lo que permite que un atacante identifique posibles contraseñas que el sistema utiliza para configurar la red de invitado predeterminada contraseña. Un atacante puede usar esta lista de 30 palabras junto con un número aleatorio de 2 dígitos para forzar su acceso a la red de invitados del router.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-02-07 CVE Reserved
2019-06-17 CVE Published
2024-03-03 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication

CAPEC

References (2)

URL	Tag	Source
https://robot-security.blogspot.com	Not Applicable

URL	Date	SRC
http://www.x0rsecurity.com/2019/06/09/my-second-cve-linksys-wrt-acs-cve-2019-7579-or-as-i-call-it-acceptance-no-one-considers-security-by-design	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linksys Search vendor "Linksys"	Wrt1900acs Firmware Search vendor "Linksys" for product "Wrt1900acs Firmware"	1.0.3.187766 Search vendor "Linksys" for product "Wrt1900acs Firmware" and version "1.0.3.187766"	-	Affected	in	Linksys Search vendor "Linksys"	Wrt1900acs Search vendor "Linksys" for product "Wrt1900acs"	-	-	Safe