CVE-2022-3203

Published: Oct 21, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD (Secondary)

Description

On ORing net IAP-420(+) with FW version 2.0m a telnet server is enabled by default and cannot permanently be disabled. You can connect to the device via LAN or WiFi with hardcoded credentials and get an administrative shell. These credentials are reset to defaults with every reboot.

Affected (2)

Products: Oringnet: Iap 420 Firmware

1 product

Iap 420 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Oringnet Iap 420+ Firmware	Version 2.0m

Running on/with	Platform Versions
Oringnet Iap 420+	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Oringnet Iap 420 Firmware	Version 2.0m

Running on/with	Platform Versions
Oringnet Iap 420	All versions

Related CWEs

Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

References (2)

https://mads.uniud.it/2022/09/lord-of-the-orings/

Source: info@cert.vde.com

ExploitMitigationThird Party Advisory

https://mads.uniud.it/2022/09/lord-of-the-orings/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

Timeline

No history available yet.