CVE-2016-10116

moderate-risk

Published 2017-01-04

NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier use a pattern of adjective, noun, and three-digit number for the customized password, which makes it easier for remote attackers to obtain access via a dictionary attack.

Do I need to act?

7.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (3)

Arlo Base Station Firmware

Arlo Q Camera Firmware

Arlo Q Plus Camera Firmware

Affected Vendors

Netgear

References (6)

Third Party Advisory http://blog.newskysecurity.com/2016/09/brute-force-vulnerability-netgear-arlo/

Mitigation http://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability

Third Party Advisory http://www.securityfocus.com/bid/95266

Third Party Advisory http://blog.newskysecurity.com/2016/09/brute-force-vulnerability-netgear-arlo/

Mitigation http://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability

Third Party Advisory http://www.securityfocus.com/bid/95266

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 9/34 · Low

Exposure 9/34 · Low