CVE-2016-10115

Description

NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier have a default password of 12345678, which makes it easier for remote attackers to obtain access after a factory reset or in a factory configuration.

Related CPE's

onetgeararlo_base_station_firmware********

hnetgearvms3xx0-*******

hnetgearvmb30x0-*******

hnetgearvmk3xx0-*******

onetgeararlo_q_camera_firmware********

hnetgearvmc3040-*******

onetgeararlo_q_plus_camera_firmware********

hnetgearvmc3040s-*******

References

http://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability

MitigationVendor Advisory

http://blog.newskysecurity.com/2016/09/factory_reset_vuln_in_netgear_arlo/

Third Party Advisory

95265

Third Party AdvisoryVDB Entry

CvssV3 impact

BaseSeverity

CRITICAL

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

NONE

BaseScore

9.8

VectorString

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Version

3.0

UserInteraction

NONE

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:L/Au:N/C:C/I:C/A:C

AccessVector

NETWORK

AccessComplexity

LOW

Authentication

NONE

ConfidentialityImpact

COMPLETE

IntegrityImpact

COMPLETE

AvailabilityImpact

COMPLETE

BaseScore

10

Created by Yello
About Severity.io