Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Leveraging CWMP (CPE WAN Management Protocol) to extract vendor specific secrets and configurations from CPEs.

What are TR-069 and CWMP?

TR-069 (Technical Report 069) is a technical specification of the Broadband Forum that defines an application layer protocol for remote management of customer-premises equipment (CPE) connected to an Internet Protocol (IP) network. The CPE WAN Management Protocol (CWMP) defines support functions for auto-configuration, software or firmware image management, software module management, status and performance managements, and diagnostics.


Hardcoded ftp credentials discovery

Users and passwords enumeration


Note: The Broadband Forum defines several data models for use with the CPE WAN Management Protocol (TR-069 Amendment 6). These data models contain objects and parameters that describe the many different functions and capabilities available to devices and services that are manageable via CWMP.

You will first need to find out which data model is used by your target CPE. You may download a specific XML file describing your CPE's data model from the official Broadband Forum page. CWMPwn will process it natively (using the -x flag), but if you can't get it to work out of the box please file an issue. By default CWMPwn uses TR-098.


  -V, --version                     output the version number
  -u, --url [url]                   CPE URL to query (default: "")
  -x, --xml [path]                  Data model XML taken from the original broadband forum definition, see (default: "./DataModels/xml/tr-098-1-8-0-full.xml")
  -l, --list [path]                 Custom data model parameters list, see (default: "./DataModels/csv/TR-098.csv")
  -c, --cookie [cookievalue]        Valid HTTP cookies to query the target with privileges (default: false)
  -sh, --soap-header [soap-header]  Additional SOAP headers to include (default: false)
  -r, --range [max]                 How much should CWMPwn enumerate objects for each "table" (default: 3) (default: 3)
  -p, --parallel [limit]            How many requests should be run in parallel (default: 3) (default: 3)
  -v, --verbosity [level]           Set verbosity level (default: 0)
  -h, --help                        output usage information

Example of usage

In most cases you will need to tune the default options for your target CPE. You will probably need to specify a cookie (--cookie) and some specific SOAP headers (--soap-header). To debug these, you can also set the verbosity with -v 2 to output each CPE response. E.g. :

$ node CWMPwn.js --cookie "wbm_cookie_session_id=21FA071A64304119CD2D34B0454AF68D;" --soap-header "<DMCookie>59569BCD7C06074CC881AB7AF340EE52</DMCookie><SessionNotRefresh>1</SessionNotRefresh>"

Vendor-Specific Parameters

A vendor may extend the standardized parameter list with vendor-specific parameters and objects. The name of a vendor-specific parameter or object always have the form: X_<VENDOR>_VendorSpecificName. <VENDOR> is a unique vendor identifier, which may be either an OUI or a domain name. An OUI is an organizationally unique identifier which is formatted as a six-hexadecimal-digit string using all upper-case letters and including any leading zeros. A domain name is upper case with each dot (“.”) replaced with a hyphen or underscore. Below are some example vendor-specific parameter and object names:


It is possible to provide CWMPwn with a custom list using -l <csvPath>.



MIT license


Leveraging CWMP (CPE WAN Management Protocol) to extract vendor specific secrets and configurations from CPEs








No packages published