Multiple security vulnerabilities affecting Cisco EPC3928


In the world of cyber security, there is a saying that there are two types of companies: those that have been hacked, and those that will be.

In fact, in the majority of analytical reports in Poland and in the other countries we can distinguish common picture in which the following aspects stands out:
weak element of security is human, and organized groups of cyber criminals use social engineering combined with the power of technology

  • standard security approaches such as firewall or antivirus based on the known signature database do not prevent the greatest attacks, which have a powerful character and are focused on the organization
  • a wide range of possibilities for unauthorized access was opened by the mobile channel, WiFi and widespread BYOD

A few months ago Secorda Security Team has “worked out” unauthorized access to very popular modem produced by Cisco and which is currently held by Technicolor. It is an interesting case, because it shows how a small amount of vulnerabilities reveals a high risk. Such scenario can not be detected by an ordinary automatic security scanner.

Vulnerabilities on Cisco EPC 3928 modem allows an attacker to inject code into the web interface and can lead to device failure or even perform some of the administrative commands without authentication. Using the combination of several weak points, it is able to remotely retrieve and decode the modem configuration file or extract the password to the WiFi network. Among others, found vulnerabilities are unathorized command execution, denial of service and stored cross site scripting; other variants of the device can also be affected. Skillful use of these vulnerabilities in the specified order enables the acquisition of control over the device.

This modem is commonly mounted by the internet providers. The attacker can take control of a large number of such devices and further control the traffic of the home network. You can imagine how dangerous can be the attack of installing malicious software on director laptop or other person with significant access to corporate data. Infected home network laptop with backdoor on board is soon plugged into the corporate network and a chain of APT type attack is started.

The following video demonstrates the effect of an exploit created by our security team, that by linking a number of vulnerabilities, brings out the device configuration file and consequently the authorization data.


Device manufacturers and some CERT teams has already issued the security bulletin in which they warn users of potential threats. Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.

We offer internet providers a security check of the implemented devices that we audited, or the analysis of a wider range, including a comprehensive approach to security model. If you are interested, speak to us.


Complete list of vulnerabilities:

  • Unathorized Command Execution
  • Gateway Stored Cross Site Scripting
  • Gateway Reflective Cross Site Scripting
  • Gateway Client List Denial of Service
  • Gateway HTTP Corruption Denial of Service
  • Boot Information Disclosure

CVE References:

  • CVE-2015-6401
  • CVE-2015-6402
  • CVE-2016-1328
  • CVE-2016-1336
  • CVE-2016-1337

Cisco Bug ID’s:

  • CSCux24935
  • CSCux24938
  • CSCux24941
  • CSCux24948
  • CSCuy28100
  • CSCux17178