Mofinetwork: >> Mofi4500-4gxelte Firmware >> 4.0.8-std Security Vulnerabilities
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password is not unique across installations.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-02-01
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature.
CVSS Score
9.8
EPSS Score
0.003
Published
2021-02-01
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-02-01
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-02-01
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-02-01