CVE-2017-9136

Name of the Vulnerable Software and Affected Versions Mimosa Client Radios versions prior to 2.2.3

Description An issue in the device's web interface allows an attacker to download files from the device as the root user by using an unsanitized GET parameter. This can be used to view unsalted, MD5-hashed administrator passwords, which can then be cracked to give the attacker full admin access to the device's web interface. The attacker can also view the plaintext pre-shared key (PSK) for encrypted wireless connections or the device's serial number, allowing for a factory reset.

Recommendations For versions prior to 2.2.3, update to version 2.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the device's web interface to minimize the risk of exploitation. Avoid using the vulnerable web interface until the issue is resolved.