| Título | Beetel 777VR1 Firmware Versions: V01.00.09 / V01.00.09_55 Unauthorized Telnet Service Activation - CWE-1188 |
|---|
| Descrição | Unauthorized Telnet Service Activation via Diagnostic Interface and ACL, MIB Manipulation Leading to Remote Administrative Compromise
Description
A vulnerability exists in the Beetel 777VR1 Broadband Router firmware versions V01.00.09 and V01.00.09_55 that allows an attacker with access to the diagnostic shell (via UART interface) to enable the deprecated Telnet service despite it being disabled by default.
The diagnostic interface exposes direct access to the configuration Management Information Base (MIB), allowing modification of the TELNET_STATE parameter without proper authentication boundaries. By setting this parameter to an enabled state and removing Telnet from the LAN ACL blacklist, an attacker can activate a remote Telnet service.
Once telnet is enabled, it leads to full system compromise due to exposure of root-equivalent system shell, as shown below (under reproduction steps).
It should also be noted that telnet is a very weak protocol, as credentials are transmitted in plain-text, so credential strength used to authenticate telnet does not matter. However, it should be noted here that the default credentials to authenticate telnet here are admin:password, which are very weak.
Why Telnet Should Never Be Enabled
Telnet has been officially deprecated for secure administration since the early 2000s, with SSH replacing it due to Telnet’s complete lack of confidentiality, integrity, and authentication protections.
Modern security standards, including NIST, CIS, and ISO/IEC 27001 explicitly forbid the use of Telnet for management access. Any firmware that retains Telnet, even in a disabled-by-default state, maintains a latent critical attack surface, as demonstrated by this vulnerability.
This insecure Telnet authentication mechanism that accepts weak, default credentials (admin:password). When Telnet is enabled, either via the web console, diagnostic shell, or MIB manipulation, the service exposes a shell-like diagnostic environment with root-equivalent privileges.
Because Telnet transmits credentials in cleartext and lacks session integrity, attackers monitoring network traffic can trivially recover administrative credentials. Additionally, the same credentials are reused across UART, web, SSH, and Telnet interfaces, enabling lateral privilege escalation once any access path is compromised.
Telnet transmits credentials in plaintext and lacks cryptographic protections. Its reactivation enables remote attackers to:
Intercept authentication credentials
Perform man-in-the-middle attacks
Gain persistent administrative access
Proof/Steps to Reproduce
Please see the link for detailed explanation and steps:
https://gist.github.com/raghav20232023/39e3d88d1bc2bcef89bb0f3b5fbb73e0
Vulnerability Classification
CWE-1188 – Insecure Default Initialization of Resource (Primary)
CWE-306 – Missing Authentication for Critical Function
CWE-693 – Protection Mechanism Failure
CWE-284 – Improper Access Control
CWE-912 – Hidden Functionality
CWE-319 – Cleartext Transmission
Impact
Remote unauthenticated access once Telnet is enabled
Plaintext credential disclosure
Full administrative compromise of the device
Persistent configuration changes across reboots
Affected Products
Beetel 777VR1 Broadband Router
Firmware Versions:
V01.00.09
V01.00.09_55
Attack Vector
UART (Physical)
Web-Console / Diagnostic Interface (Remote)
Severity
Critical
Mitigation
Permanently remove Telnet binaries and configuration hooks
Enforce immutable disablement of Telnet at compile time
Restrict diagnostic interfaces to authenticated, role-separated access
Author and Credit
RAGHAV AGRAWAL
|
|---|
| Fonte | ⚠️ https://gist.github.com/raghav20232023/39e3d88d1bc2bcef89bb0f3b5fbb73e0 |
|---|
| Utilizador | raghav_2026 (UID 94388) |
|---|
| Submissão | 03/02/2026 20h36 (há 4 meses) |
|---|
| Moderação | 17/02/2026 08h00 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 346267 [Beetel 777VR1 até 01.00.09 Telnet Service/SSH Service Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|