CVE-2023-41010 in China Telecom Tianyi Home Gatewayinfo

Summary

by MITRE • 09/14/2023

Insecure Permissions vulnerability in Sichuan Tianyi Kanghe Communication Co., Ltd China Telecom Tianyi Home Gateway v.TEWA-700G allows a local attacker to obtain sensitive information via the default password parameter.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/30/2026

The CVE-2023-41010 vulnerability represents a critical insecure permissions flaw affecting the China Telecom Tianyi Home Gateway model TEWA-700G manufactured by Sichuan Tianyi Kanghe Communication Co., Ltd. This device operates within the consumer and enterprise networking space, serving as a home gateway that typically manages network connectivity and various communication services for residential users. The vulnerability specifically manifests through default password parameters that have not been properly secured, creating a persistent security weakness that can be exploited by local attackers who already have physical or network access to the device. The default credential configuration allows unauthorized individuals to gain access to sensitive system information, potentially compromising the entire network infrastructure managed by the gateway.

This vulnerability directly relates to CWE-798, which categorizes the use of hard-coded credentials as a significant security risk. The technical flaw occurs at the authentication layer where the device fails to implement proper credential management protocols. When a device ships with default passwords that remain unchanged by users, it creates an inherent attack surface that aligns with ATT&CK technique T1078.004, which covers legitimate credentials used for persistence. The insecure permissions aspect indicates that the system does not properly enforce access controls, allowing local attackers with minimal privileges to escalate their access and extract sensitive data through the default credential mechanism. This type of vulnerability is particularly dangerous in home gateway environments where physical access is often possible, and where the device may be located in areas accessible to unauthorized individuals.

The operational impact of this vulnerability extends beyond simple credential theft, as the compromised gateway could serve as a pivot point for further network attacks. Local attackers who gain access through default credentials can potentially manipulate network configurations, monitor traffic, or establish backdoors for persistent access. The sensitive information that can be obtained includes network configuration parameters, user credentials, device management interfaces, and potentially other connected device information. This vulnerability is particularly concerning in the context of IoT security where home gateways often serve as the primary entry point for home networks, making them attractive targets for attackers seeking to compromise larger network ecosystems. The attack surface is further expanded when considering that many users fail to change default passwords, making this vulnerability exploitable across a wide deployment base.

Mitigation strategies for CVE-2023-41010 should focus on immediate credential management and configuration hardening. Organizations and users must immediately change all default passwords to strong, unique credentials that follow security best practices. The device should be configured to enforce password complexity requirements and implement account lockout mechanisms to prevent brute force attacks. Network segmentation should be implemented to limit the potential impact of credential compromise, and regular security audits should be conducted to ensure that default configurations have not been re-enabled. Additionally, network monitoring should be enhanced to detect unusual authentication patterns or unauthorized access attempts. The vulnerability highlights the critical importance of following the principle of least privilege and implementing proper access control mechanisms as recommended by cybersecurity frameworks such as NIST SP 800-53 and ISO 27001, which emphasize the need for secure configuration management and credential protection to prevent unauthorized access to critical network infrastructure.

Reservation

08/22/2023

Disclosure

09/14/2023

Moderation

accepted

CPE

ready

EPSS

0.00214

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!