Gerard Fuguet

**Name of the Vulnerable Software and Affected Versions** Inteno EG200 EG200-WU7P1U ADAMO version 3.16.4-190226 1650 **Description** The issue is related to a JUCI ACL misconfiguration. This misconfiguration allows the `user` account to extract the 3DES key via JSON commands to `ubus`. The 3DES key is used for decrypting the provisioning file, which is provided by Adamo Telecom on a public URL via cleartext HTTP. **Recommendations** For Inteno EG200 EG200-WU7P1U ADAMO version 3.16.4-190226 1650, as a temporary workaround, consider restricting access to the `ubus` JSON commands to prevent the extraction of the 3DES key. Additionally, avoid using cleartext HTTP for provisioning files. At the moment, there is no information about a newer version that contains a fix for this issue.