CVE-2024-28875 (GCVE-0-2024-28875)
Vulnerability from cvelistv5 – Published: 2024-10-30 13:35 – Updated: 2025-11-03 21:54
VLAI?
Summary
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910
80100910 40 6d 21 74 ds "@m!t2K1"
32 4b 31 00
It is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below:
if ((SECOND_FROM_BOOT_TIME < 300) &&
(is_equal = strcmp(password,"@m!t2K1")) {
return 1;}
Where 1 is the return value to admin-level access (0 being fail and 3 being user).
Severity ?
8.1 (High)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Credits
Discovered by Francesco Benvenuto and Patrick DeSantis of Cisco Talos.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:levelone:wbr-6012:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wbr-6012",
"vendor": "levelone",
"versions": [
{
"status": "affected",
"version": "R0.40e6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T14:04:05.633267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T14:05:54.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:54:34.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1979"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WBR-6012",
"vendor": "LevelOne",
"versions": [
{
"status": "affected",
"version": "R0.40e6"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Francesco Benvenuto and Patrick DeSantis of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw involving hard-coded credentials in LevelOne WBR-6012\u0027s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910\r\n\r\n 80100910 40 6d 21 74 ds \"@m!t2K1\"\r\n 32 4b 31 00\r\n \r\nIt is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below:\r\n\r\n if ((SECOND_FROM_BOOT_TIME \u003c 300) \u0026\u0026\r\n (is_equal = strcmp(password,\"@m!t2K1\")) {\r\n return 1;}\r\n \r\nWhere 1 is the return value to admin-level access (0 being fail and 3 being user)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T13:35:19.982Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2024-28875",
"datePublished": "2024-10-30T13:35:19.982Z",
"dateReserved": "2024-04-26T18:28:06.337Z",
"dateUpdated": "2025-11-03T21:54:34.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:level1:wbr-6012_firmware:r0.40e6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FCC94B2E-4651-4E98-90A1-CB53CC2E24CC\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:level1:wbr-6012:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1FD255E3-0DBF-440C-AC6A-90B30DB59B34\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A security flaw involving hard-coded credentials in LevelOne WBR-6012\u0027s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910\\r\\n\\r\\n 80100910 40 6d 21 74 ds \\\"@m!t2K1\\\"\\r\\n 32 4b 31 00\\r\\n \\r\\nIt is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below:\\r\\n\\r\\n if ((SECOND_FROM_BOOT_TIME \u003c 300) \u0026\u0026\\r\\n (is_equal = strcmp(password,\\\"@m!t2K1\\\")) {\\r\\n return 1;}\\r\\n \\r\\nWhere 1 is the return value to admin-level access (0 being fail and 3 being user).\"}, {\"lang\": \"es\", \"value\": \"Una falla de seguridad que involucra credenciales codificadas de forma r\\u00edgida en los servicios web de LevelOne WBR-6012 permite a los atacantes obtener acceso no autorizado durante los primeros 30 segundos posteriores al arranque. Otras vulnerabilidades pueden forzar un reinicio, eludiendo la restricci\\u00f3n de tiempo inicial para la explotaci\\u00f3n. La cadena de puerta trasera se puede encontrar en la direcci\\u00f3n 0x80100910 80100910 40 6d 21 74 ds \\\"@m!t2K1\\\" 32 4b 31 00 La funci\\u00f3n ubicada en 0x800b78b0 hace referencia a ella y se utiliza como se muestra en el pseudoc\\u00f3digo a continuaci\\u00f3n: if ((SECOND_FROM_BOOT_TIME \u0026lt; 300) \u0026amp;\u0026amp; (is_equal = strcmp(password,\\\"@m!t2K1\\\")) { return 1;} Donde 1 es el valor de retorno al acceso de nivel de administrador (0 es error y 3 es usuario).\"}]",
"id": "CVE-2024-28875",
"lastModified": "2024-11-13T18:10:05.647",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"talos-cna@cisco.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}]}",
"published": "2024-10-30T14:15:04.990",
"references": "[{\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979\", \"source\": \"talos-cna@cisco.com\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "talos-cna@cisco.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"talos-cna@cisco.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-28875\",\"sourceIdentifier\":\"talos-cna@cisco.com\",\"published\":\"2024-10-30T14:15:04.990\",\"lastModified\":\"2025-11-03T22:16:50.777\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security flaw involving hard-coded credentials in LevelOne WBR-6012\u0027s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910\\r\\n\\r\\n 80100910 40 6d 21 74 ds \\\"@m!t2K1\\\"\\r\\n 32 4b 31 00\\r\\n \\r\\nIt is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below:\\r\\n\\r\\n if ((SECOND_FROM_BOOT_TIME \u003c 300) \u0026\u0026\\r\\n (is_equal = strcmp(password,\\\"@m!t2K1\\\")) {\\r\\n return 1;}\\r\\n \\r\\nWhere 1 is the return value to admin-level access (0 being fail and 3 being user).\"},{\"lang\":\"es\",\"value\":\"Una falla de seguridad que involucra credenciales codificadas de forma r\u00edgida en los servicios web de LevelOne WBR-6012 permite a los atacantes obtener acceso no autorizado durante los primeros 30 segundos posteriores al arranque. Otras vulnerabilidades pueden forzar un reinicio, eludiendo la restricci\u00f3n de tiempo inicial para la explotaci\u00f3n. La cadena de puerta trasera se puede encontrar en la direcci\u00f3n 0x80100910 80100910 40 6d 21 74 ds \\\"@m!t2K1\\\" 32 4b 31 00 La funci\u00f3n ubicada en 0x800b78b0 hace referencia a ella y se utiliza como se muestra en el pseudoc\u00f3digo a continuaci\u00f3n: if ((SECOND_FROM_BOOT_TIME \u0026lt; 300) \u0026amp;\u0026amp; (is_equal = strcmp(password,\\\"@m!t2K1\\\")) { return 1;} Donde 1 es el valor de retorno al acceso de nivel de administrador (0 es error y 3 es usuario).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"talos-cna@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"talos-cna@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:level1:wbr-6012_firmware:r0.40e6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FCC94B2E-4651-4E98-90A1-CB53CC2E24CC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:level1:wbr-6012:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FD255E3-0DBF-440C-AC6A-90B30DB59B34\"}]}]}],\"references\":[{\"url\":\"https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979\",\"source\":\"talos-cna@cisco.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1979\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1979\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T21:54:34.037Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28875\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-30T14:04:05.633267Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:h:levelone:wbr-6012:*:*:*:*:*:*:*:*\"], \"vendor\": \"levelone\", \"product\": \"wbr-6012\", \"versions\": [{\"status\": \"affected\", \"version\": \"R0.40e6\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-30T14:05:49.481Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Discovered by Francesco Benvenuto and Patrick DeSantis of Cisco Talos.\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"LevelOne\", \"product\": \"WBR-6012\", \"versions\": [{\"status\": \"affected\", \"version\": \"R0.40e6\"}]}], \"references\": [{\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979\", \"name\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security flaw involving hard-coded credentials in LevelOne WBR-6012\u0027s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910\\r\\n\\r\\n 80100910 40 6d 21 74 ds \\\"@m!t2K1\\\"\\r\\n 32 4b 31 00\\r\\n \\r\\nIt is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below:\\r\\n\\r\\n if ((SECOND_FROM_BOOT_TIME \u003c 300) \u0026\u0026\\r\\n (is_equal = strcmp(password,\\\"@m!t2K1\\\")) {\\r\\n return 1;}\\r\\n \\r\\nWhere 1 is the return value to admin-level access (0 being fail and 3 being user).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798: Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b\", \"shortName\": \"talos\", \"dateUpdated\": \"2024-10-30T13:35:19.982Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-28875\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T21:54:34.037Z\", \"dateReserved\": \"2024-04-26T18:28:06.337Z\", \"assignerOrgId\": \"b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b\", \"datePublished\": \"2024-10-30T13:35:19.982Z\", \"assignerShortName\": \"talos\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…