CVE-2018-20387

Vulnerability

The Bnmux BCW700J firmware version 5.20.7, BCW710J version 5.30.6a, and BCW710J2 version 5.30.16 expose credentials via SNMP. Specifically, the OIDs iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 return credential information when queried [1]. No authentication is required to access these OIDs if SNMP is enabled with a default or no community string.

Exploitation

An attacker with network access to the device can send SNMP GET requests to the listed OIDs. The device responds with credential data (likely passwords or usernames). No prior authentication or special privileges are needed; the attacker only needs to know the SNMP community string, which is often left as the default "public".

Impact

Successful exploitation allows an attacker to retrieve credentials from the device, leading to full compromise of the router's administrative interface. This can result in unauthorized access to the network, modification of settings, or further lateral movement.

Mitigation

As of the publication date (2018-12-23), no official patch or firmware update has been disclosed in the available references. Users should disable SNMP if not required, or restrict SNMP access to trusted IPs and change the community string from the default. The affected models may be end-of-life; consult the vendor for updates.