CVE-2013-6031 in E355
Summary
by MITRE
The Huawei E355 adapter with firmware 21.157.37.01.910 does not require authentication for API pages, which allows remote attackers to change passwords and settings, or obtain sensitive information, via a direct request to (1) api/wlan/security-settings, (2) api/device/information, (3) api/wlan/basic-settings, (4) api/wlan/mac-filter, (5) api/monitoring/status, or (6) api/dhcp/settings.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/07/2026
The Huawei E355 mobile broadband adapter represents a critical security vulnerability identified as CVE-2013-6031, where the device fails to implement proper authentication mechanisms for its Application Programming Interface endpoints. This flaw exists within firmware version 21.157.37.01.910 and affects the device's web-based management interface that exposes multiple API endpoints without requiring any form of user authentication or authorization verification. The vulnerability stems from a fundamental design flaw where the device's API interface operates under the assumption that all requests are legitimate, creating an attack surface that allows unauthorized remote access to sensitive configuration parameters and user data.
The technical implementation of this vulnerability manifests through six distinct API endpoints that collectively expose critical system functions and information. The api/wlan/security-settings endpoint allows attackers to modify wireless network security parameters, potentially enabling unauthorized access to the network. The api/device/information endpoint provides sensitive device metadata including model numbers, serial identifiers, and firmware versions that could aid in further exploitation attempts. The api/wlan/basic-settings endpoint enables modification of fundamental wireless configuration parameters, while api/wlan/mac-filter allows manipulation of device access control lists. The api/monitoring/status endpoint provides real-time system monitoring data that could reveal network usage patterns and device operational status. Finally, the api/dhcp/settings endpoint permits modification of dynamic host configuration protocol parameters that could disrupt network connectivity or enable man-in-the-middle attacks.
This vulnerability creates significant operational impact for users and organizations relying on Huawei E355 devices for network connectivity. Remote attackers can exploit these unauthenticated API endpoints to completely compromise device security, potentially gaining access to sensitive information such as network credentials, device identifiers, and configuration data. The implications extend beyond individual device compromise to potential network-wide security breaches, particularly in environments where multiple devices are deployed without proper network segmentation or monitoring. The vulnerability essentially transforms the device from a secure network access point into a potential entry vector for broader network attacks, making it particularly dangerous in corporate or enterprise environments where device security is paramount.
The security implications of this vulnerability align with CWE-284, which addresses improper access control in software systems, and can be mapped to ATT&CK technique T1071.004 for application layer protocol usage and T1566 for credential access through network service exploitation. Organizations should implement immediate mitigations including network segmentation to isolate affected devices, deployment of network monitoring solutions to detect unauthorized API access attempts, and regular firmware updates to address known vulnerabilities. The recommended remediation strategy involves disabling web management interfaces when not actively required, implementing strong network access controls, and establishing continuous monitoring procedures to detect anomalous API access patterns that may indicate exploitation attempts. Additionally, security teams should consider implementing network intrusion detection systems specifically configured to identify traffic patterns associated with exploitation of these unauthenticated API endpoints, as the vulnerability's nature makes it particularly susceptible to automated exploitation tools that scan for such weaknesses across network infrastructure.