CVE-2017-14335

high-risk

Published 2017-09-12

On Beijing Hanbang Hanbanggaoke devices, because user-controlled input is not sufficiently sanitized, sending a PUT request to /ISAPI/Security/users/1 allows an admin password change.

Do I need to act?

20.2% chance of exploitation in next 30 days

EPSS score — higher than 80% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

44061

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Hb7024Xt Firmware

Hb7032Xt Firmware

Hb7008T2 Firmware

Hb7208Xt Firmware

Hb7216Xt Firmware

Hb7208X3 Firmware

Hb7216X3 Firmware

Hb7204X Firmware

Hb7208X Firmware

7204Xr Firmware

7216Xr Firmware

Hb7008Kce Firmware

Hb7008Khe Firmware

Hb7204Kk Firmware

Hb7016Lh Firmware

Hb7116X3 Firmware

Hb7108X3 Firmware

Hb8004 Firmware

Hb8016 Firmware

Hb8008R Firmware

Affected Vendors

Hbgk

References (2)

Exploit https://blogs.securiteam.com/index.php/archives/3420

/ 100

high-risk

Severity 26/34 · High

Exploitability 14/34 · Moderate

Exposure 28/34 · Critical