CVE-2017-2162 in FlashAirTM
Summary
by MITRE
FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and earlier and FlashAirTM SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.04 and earlier allows default credentials to be set for wireless LAN connections to the product when enabling the PhotoShare function through a web browser.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability affects FlashAir SDHC memory cards from the SD-WE Series with firmware versions prior to V3.00.02 and the SD-WD/WC Series with firmware versions prior to V2.00.04. The issue stems from the implementation of the PhotoShare wireless functionality where default credentials are configured for wireless LAN connections without proper user authentication mechanisms. When users enable the PhotoShare function through a web browser interface, the device automatically sets up wireless access with predetermined username and password combinations that remain unchanged unless manually modified by the user. This represents a critical security flaw that violates fundamental principles of secure system design and authentication.
The technical nature of this vulnerability aligns with CWE-798, which addresses the use of hard-coded credentials, and CWE-312, concerning the exposure of sensitive information through cleartext storage. The flaw operates at the application layer where the device fails to enforce proper access controls and authentication mechanisms during wireless configuration. The default credentials are typically well-known and easily discoverable through manufacturer documentation or public resources, creating a predictable and exploitable attack vector. This implementation bypasses standard network security practices by not requiring users to establish unique authentication credentials during the initial setup process.
The operational impact of this vulnerability is significant as it allows unauthorized individuals to gain wireless access to the memory card's web interface without requiring any specialized tools or techniques. Attackers can remotely connect to the device and potentially access stored data, modify device configurations, or perform man-in-the-middle attacks on the wireless communication. The vulnerability affects both the SD-WE and SD-WD/WC series devices, indicating a widespread implementation flaw that could compromise thousands of devices in the field. Network administrators and end users who fail to manually change the default credentials are left vulnerable to unauthorized access, particularly in environments where these devices might be used in public or shared spaces.
Security mitigations for this vulnerability include immediate firmware updates from the manufacturer to address the hardcoded credential issue, mandatory credential change procedures during initial device setup, and enhanced authentication mechanisms for wireless access. Users should disable the PhotoShare function if not required and manually configure unique wireless credentials when the feature is enabled. Network segmentation and monitoring can help detect unauthorized access attempts, while regular security audits should verify that default credentials have been properly changed. This vulnerability demonstrates the importance of implementing secure defaults and proper authentication protocols as outlined in the NIST Cybersecurity Framework and aligns with ATT&CK technique T1110 for credential access and T1071 for application layer protocols, emphasizing the need for proper network access control and secure configuration management practices.