PT-2025-47014 · Ubee · Ubee Evw3226
Published
2025-11-14
·
Updated
2025-11-18
·
CVE-2016-15056
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Ubee EVW3226 versions up to and including 1.0.20
Description
The Ubee EVW3226 cable modem/router firmware stores configuration backup files in the web root after they are generated for download. These files remain accessible without authentication until a reboot of the device. An attacker on the local network can request the file 'Configuration file.cfg' to obtain the backup archive. The backup files are not encrypted and contain sensitive information, including the plaintext admin password, potentially allowing full compromise of the device.
Recommendations
Update to a firmware version later than 1.0.20.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ubee Evw3226