CVE-2016-6825

Vulnerability

Huawei XH620 V3, XH622 V3, XH628 V3 servers with software before V100R003C00SPC610, RH1288 V3 servers with software before V100R003C00SPC613, RH2288 V3 servers with software before V100R003C00SPC617, and RH2288H V3 servers with software before V100R003C00SPC515, as well as CH242 V3 servers with software before V100R001C00SPC285, contain a vulnerability where the management interface lacks authentication protection mechanisms [1]. This shortcoming permits an attacker to perform unlimited login attempts without rate limiting or account lockout, enabling brute-force attacks on user passwords.

Exploitation

An attacker with network access to the affected server's management interface can attempt to log in repeatedly using systematically generated passwords [1]. No prior authentication or special privileges are required. The absence of rate limiting or lockout allows the attacker to try thousands of credential combinations until successful authentication is achieved.

Impact

Successful exploitation grants the attacker valid user credentials, leading to full administrative control over the server [1]. This enables complete compromise of confidentiality, integrity, and availability of the system and any data it processes.

Mitigation

Huawei released fixed firmware versions: V100R003C00SPC610 for XH620/622/628 V3, V100R003C00SPC613 for RH1288 V3, V100R003C00SPC617 for RH2288 V3, V100R003C00SPC515 for RH2288H V3, and V100R001C00SPC285 for CH242 V3 [1]. Users should upgrade to these or later versions. No workaround other than restricting network access to the management interface is documented. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities catalog as of the available data.