CVE-2018-13859

high-risk

Published 2018-07-17

MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18, allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?id=0&attr=protectAccess&newValue=0" (a successful attack will allow attackers to login without authorization).

Do I need to act?

57.8% chance of exploitation in next 30 days

EPSS score — higher than 42% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

45088

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

C4 Professional Firmware

Affected Vendors

Trivum

References (6)

Vendor Advisory http://update.trivum.com/update/v9-changes.html

Third Party Advisory https://vulncode.com/advisory/CVE-2018-13859

Exploit https://www.exploit-db.com/exploits/45088/

Vendor Advisory http://update.trivum.com/update/v9-changes.html

Third Party Advisory https://vulncode.com/advisory/CVE-2018-13859

Exploit https://www.exploit-db.com/exploits/45088/

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 18/34 · Moderate

Exposure 5/34 · Minimal