PT-2022-3464 · Inhand Networks · Inrouter302

Francesco Benvenuto

Published

2022-05-12

Updated

2022-05-23

CVE-2022-27172

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions InHand Networks InRouter302 version 3.5.37

Description The issue is related to the use of hardcoded credentials in the InHand Networks InRouter302, specifically in the console infactory functionality. This can be exploited by a remote attacker to execute arbitrary actions. A specially-crafted network request can lead to privileged operation execution, allowing an attacker to send a sequence of requests to trigger the vulnerability.

Recommendations For InHand Networks InRouter302 version 3.5.37, consider changing the hardcoded password in the console infactory functionality to prevent exploitation. As a temporary workaround, restrict access to the console infactory functionality until a patch is available. Avoid using the default credentials for the console infactory functionality to minimize the risk of exploitation.

Exploit

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-259CWE-798

Related Identifiers

BDU:2022-04242

CVE-2022-27172

Affected Products

Inrouter302

PT-2022-3464 · Inhand Networks · Inrouter302

CVE-2022-27172

Weakness Enumeration

Related Identifiers

Affected Products

References · 6