CVE-2019-11061
HG100 has a broken access control vulnerability in its Web API Server
In short
The HG100 device allows anyone on the same network to control connected IoT devices without logging in, by directly accessing a web endpoint. This means an attacker can turn devices on/off, change settings, or disrupt their operation without any password or permission.
Technical detail
HG100 firmware ≤4.00.06 contains broken access control in the Web API Server endpoint http://[target]/smarthome/devicecontrol, accessible over HTTP without authentication from the local network. An unauthenticated attacker can execute arbitrary device control operations, affecting confidentiality, integrity, and availability of connected IoT devices.
Summary generated and translated by AI from the official description.
A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
ASUS · HG100 firmwarepublic PoCs found — 1
githubgithub.com/tim124058/ASUS-SmartHome-Exploit★ 23⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →