CVE-2024-28875: CWE-798: Use of Hard-coded Credentials in LevelOne WBR-6012
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910 80100910 40 6d 21 74 ds "@m!t2K1" 32 4b 31 00 It is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below: if ((SECOND_FROM_BOOT_TIME < 300) && (is_equal = strcmp(password,"@m!t2K1")) { return 1;} Where 1 is the return value to admin-level access (0 being fail and 3 being user).
AI Analysis
Technical Summary
CVE-2024-28875 is a vulnerability classified under CWE-798, indicating the use of hard-coded credentials in the LevelOne WBR-6012 router. The flaw exists in the device's web services, where a hard-coded password '@m!t2K1' is embedded at memory address 0x80100910 and checked during the first 30 seconds (300 seconds in pseudocode but description states 30 seconds, likely a documentation inconsistency) after boot. If a login attempt uses this password within this time frame, the device grants admin-level access (return value 1), bypassing normal authentication mechanisms. The vulnerability is exacerbated by other flaws that allow an attacker to force the device to reboot, thus resetting the exploitation window and enabling repeated unauthorized access. The CVSS v3.1 score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no privileges or user interaction required, but with high attack complexity. This vulnerability allows attackers to fully compromise the device remotely during the vulnerable window, potentially leading to network compromise, data interception, or further lateral movement. No patches are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the ease of exploitation and critical nature of the device.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network security, particularly for those using LevelOne WBR-6012 routers in their infrastructure. Successful exploitation can lead to unauthorized administrative access, enabling attackers to alter configurations, intercept or redirect traffic, deploy malware, or disrupt network availability. This could compromise sensitive data confidentiality, disrupt business operations, and damage organizational reputation. Critical sectors such as finance, healthcare, government, and telecommunications are especially vulnerable due to their reliance on secure and stable network infrastructure. The ability to force reboots and repeatedly exploit the vulnerability increases the threat persistence and potential for widespread disruption. Given the high CVSS score and the nature of the device, the impact on European organizations could be severe if not mitigated promptly.
Mitigation Recommendations
1. Immediate mitigation should focus on network-level controls: restrict access to the router's management interface to trusted IP addresses and VLANs, ideally isolating it from the public internet. 2. Monitor network traffic for unusual reboot patterns or unauthorized access attempts during device boot time. 3. Disable or restrict remote management features if not essential. 4. Implement network segmentation to limit the impact of a compromised router. 5. Contact LevelOne for firmware updates or security advisories addressing this vulnerability; apply patches as soon as they become available. 6. If firmware updates are unavailable, consider replacing affected devices with models not susceptible to this vulnerability. 7. Employ intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting the hard-coded credential window. 8. Educate IT staff about the vulnerability and ensure incident response plans include steps for this specific threat. 9. Regularly audit device configurations and logs to detect unauthorized access.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2024-28875: CWE-798: Use of Hard-coded Credentials in LevelOne WBR-6012
Description
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910 80100910 40 6d 21 74 ds "@m!t2K1" 32 4b 31 00 It is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below: if ((SECOND_FROM_BOOT_TIME < 300) && (is_equal = strcmp(password,"@m!t2K1")) { return 1;} Where 1 is the return value to admin-level access (0 being fail and 3 being user).
AI-Powered Analysis
Technical Analysis
CVE-2024-28875 is a vulnerability classified under CWE-798, indicating the use of hard-coded credentials in the LevelOne WBR-6012 router. The flaw exists in the device's web services, where a hard-coded password '@m!t2K1' is embedded at memory address 0x80100910 and checked during the first 30 seconds (300 seconds in pseudocode but description states 30 seconds, likely a documentation inconsistency) after boot. If a login attempt uses this password within this time frame, the device grants admin-level access (return value 1), bypassing normal authentication mechanisms. The vulnerability is exacerbated by other flaws that allow an attacker to force the device to reboot, thus resetting the exploitation window and enabling repeated unauthorized access. The CVSS v3.1 score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no privileges or user interaction required, but with high attack complexity. This vulnerability allows attackers to fully compromise the device remotely during the vulnerable window, potentially leading to network compromise, data interception, or further lateral movement. No patches are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the ease of exploitation and critical nature of the device.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network security, particularly for those using LevelOne WBR-6012 routers in their infrastructure. Successful exploitation can lead to unauthorized administrative access, enabling attackers to alter configurations, intercept or redirect traffic, deploy malware, or disrupt network availability. This could compromise sensitive data confidentiality, disrupt business operations, and damage organizational reputation. Critical sectors such as finance, healthcare, government, and telecommunications are especially vulnerable due to their reliance on secure and stable network infrastructure. The ability to force reboots and repeatedly exploit the vulnerability increases the threat persistence and potential for widespread disruption. Given the high CVSS score and the nature of the device, the impact on European organizations could be severe if not mitigated promptly.
Mitigation Recommendations
1. Immediate mitigation should focus on network-level controls: restrict access to the router's management interface to trusted IP addresses and VLANs, ideally isolating it from the public internet. 2. Monitor network traffic for unusual reboot patterns or unauthorized access attempts during device boot time. 3. Disable or restrict remote management features if not essential. 4. Implement network segmentation to limit the impact of a compromised router. 5. Contact LevelOne for firmware updates or security advisories addressing this vulnerability; apply patches as soon as they become available. 6. If firmware updates are unavailable, consider replacing affected devices with models not susceptible to this vulnerability. 7. Employ intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting the hard-coded credential window. 8. Educate IT staff about the vulnerability and ensure incident response plans include steps for this specific threat. 9. Regularly audit device configurations and logs to detect unauthorized access.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- talos
- Date Reserved
- 2024-04-26T18:28:06.337Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69092623fe7723195e0b4724
Added to database: 11/3/2025, 10:01:07 PM
Last enriched: 11/3/2025, 11:58:50 PM
Last updated: 11/5/2025, 2:08:06 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-12497: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in averta Premium Portfolio Features for Phlox theme
HighCVE-2025-11745: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in spacetime Ad Inserter – Ad Manager & AdSense Ads
MediumCVE-2025-58337: CWE-284 Improper Access Control in Apache Software Foundation Apache Doris-MCP-Server
UnknownCVE-2025-12469: CWE-862 Missing Authorization in amans2k FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
MediumCVE-2025-12468: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in amans2k FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.