| Название | Beetel 777VR1 Firmware Versions: V01.00.09 / V01.00.09_55 Hard-Coded PSK at scale, wifi compromise, PMKID exposure, CWE798 |
|---|
| Описание | Hard-coded Default WPA2 Pre-Shared Key (PSK) in Beetel 777VR1 Enables Unauthorized Wireless Access, Demonstrated Through PMKID Exposure
The Beetel 777VR1 wireless router ships with a vendor-defined default WPA2 Pre-Shared Key (PSK) that is identical across devices, resulting in a shared authentication secret deployed at scale. An attacker within wireless range can recover or directly use this credential to gain unauthorized access to the wireless network without user interaction. The issue is remotely exploitable.
Affected Product
Product: Beetel 777VR1 Broadband Wireless Router
Firmware: Firmware Versions: V01.00.09 / V01.00.09_55
Deployment: ISP-supplied consumer routers (large-scale deployment)
Vulnerability Type
CWE-798: Use of Hard-coded Credentials
Description
The Beetel 777VR1 router is shipped with a static, vendor-supplied default WPA2 pre-shared key that does not differ between devices and is not randomly generated per unit. The firmware does not enforce a mandatory PSK change during initial setup/startup, leaving devices permanently vulnerable in their out-of-the-box configuration.
An attacker within wireless range can capture PMKID to obtain key-derived authentication material (PMKID) from the access point without authenticating or requiring a connected client. Because the default PSK is weak, predictable, and reused across devices, the attacker can recover the PSK through offline verification or directly authenticate using the known credential.
The vulnerability arises from the use of a shared, static, vendor-supplied default WPA2 pre-shared key combined with the absence of mandatory credential rotation during device initialization. PMKID exposure serves as a reliable exploitation mechanism for the shared default credential, allowing attackers to confirm or recover the pre-shared key without waiting for a legitimate client. This vulnerability does not arise from a flaw in the WPA2 protocol, but from the reuse of a vendor-defined pre-shared key across devices. Because the same default credential is reused across large ISP deployments, exploitation can be performed at scale against many devices without per-target preparation.
Impact
Successful exploitation allows an attacker to:
Authenticate to the wireless network without authorization
Intercept or manipulate network traffic
Launch further attacks against connected devices
Reconfigure the router (depending on network exposure)
The attack requires no prior authentication, no user interaction, and can be performed entirely over the air.
Attack Vector
Attack Vector: Adjacent (wireless range)
Authentication Required: None
User Interaction: None
Attack Complexity: Low
CVSS v3.1 Score (Suggested)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8 (High)
Steps to Reproduce/Proof-of-Concept:
Please see below GitHub link for very detailed Steps to Reproduce/Proof-of-Concept:
https://gist.github.com/raghav20232023/a79c06d2d2562238a6c9d5e6229a13fa
Mitigation/Security Recommendations
Generate a unique, high-entropy PSK per device
Enforce a mandatory password change on first use
Disable PMKID exposure where possible
Transition affected devices to WPA3-SAE
Replace vulnerable hardware where firmware updates are unavailable
Author, Credit and Acknowledgments
Discovered and reported by RAGHAV AGRAWAL.
Note for CNA (VulDB)
This issue is distinct from previously disclosed vulnerabilities involving leakage of credentials through UART access. While prior disclosures demonstrated credential leakage via debug interfaces, this vulnerability enables fully remote exploitation within wireless range. |
|---|
| Источник | ⚠️ https://gist.github.com/raghav20232023/a79c06d2d2562238a6c9d5e6229a13fa |
|---|
| Пользователь | raghav_2026 (UID 94388) |
|---|
| Представление | 08.02.2026 23:48 (4 месяцы назад) |
|---|
| Модерация | 18.02.2026 18:56 (10 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 346648 [Beetel 777VR1 до 01.00.09 WPA2 PSK слабая аутентификация] |
|---|
| Баллы | 20 |
|---|