Skip to main content
Websec Logo
Critical June 14, 2012

Huawei HG866 authentication bypass

The web management interface of Huawei HG688 routers has several pages which fail to validate the user's session. This allows an attacker to bypass the authentication both locally and remotely.

CVSS Score

9.8 / 10.0

Severity

Critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Advisory

DeviceHuawei EchoLife HG866
HardwareHG866GTA_VER.C, 01, 02
SoftwareV1R2C01SPC202, R3.2.4.92sbn - R3.4.2.257sbn, 3FE53864AOCB16
ImpactRemote authentication bypass with full admin takeover
Attack VectorRemote

Description

The Huawei HG866 is a GPON ONT with a web management interface (4FE + 2 POTS + Wi-Fi + 2 USB). Several pages in the administrative interface fail to validate the user's session, allowing the authentication layer to be bypassed locally and remotely.

Because session validation is absent, an attacker can change the administrator password by issuing a POST request to /html/password.html, without supplying any credentials.

Remediation

No vendor fix. Disable WAN-side HTTP administration.

Share this advisory:

Related Security Advisories

Stay informed about other recent vulnerabilities and security advisories

Critical December 18, 2014

Command Execution and Backdoor in Zhone GPON-2520

This post will describe a backdoor account found in the Zhone GPON-2520 and will provide a PoC which can be used to disable the firewall filtration rules in order to allow access to services such as ssh, telnet and ftp.

Severity:
CVSS: 9.8
View advisory
High May 22, 2014

Huawei HG8245 / HG8247 WPA Generator

Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).

Severity:
CVSS: 7.4
View advisory
High December 19, 2013

Arbitrary Command Execution in Alcatel-Lucent I-240W-Q

The Alcatel-Lucent I-240W-Q ONT's Diagnostics page does not filter shell metacharacters in the IP address field, allowing any authenticated administrator to execute arbitrary commands as root and fully compromise the device.

Severity:
CVSS: 8.0
View advisory
View All Advisories