Vulnerabilities > ATT > U Verse Firmware > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-09-03 | CVE-2017-14115 | Use of Hard-coded Credentials vulnerability in ATT U-Verse Firmware 9.2.2H0D83 The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures ssh-permanent-enable WAN SSH logins to the remotessh account with the 5SaP9I26 password, which allows remote attackers to access a "Terminal shell v1.0" service, and subsequently obtain unrestricted root privileges, by establishing an SSH session and then entering certain shell metacharacters and BusyBox commands. | 9.3 |
| 2017-09-03 | CVE-2017-14116 | Use of Hard-coded Credentials vulnerability in ATT U-Verse Firmware 9.2.2H0D83 The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a session on port 49955 and then installing new software, such as BusyBox with "nc -l" support. | 9.3 |