CVE-2019-15653
Description
Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via an insecure authentication mechanism. The HTML source code of the login page contains values that allow obtaining the username and password. The username are password values are a double md5 of the plaintext real value, i.e., md5(md5(value)).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Comba AP2600-I devices through firmware A02,0202N00PD2 expose password hashes in login page HTML, allowing attackers to recover credentials via MD5 reversal.
Vulnerability
Comba AP2600-I devices through firmware version A02,0202N00PD2 contain an insecure authentication mechanism. The login page HTML source code exposes username and password fields with values that are double MD5 hashes (md5(md5(plaintext))) of the actual credentials, allowing an attacker to obtain the hashed password directly.
Exploitation
An attacker with network access to the device's login page can view the page source to retrieve the double MD5 hash values. Since MD5 is cryptographically weak, the attacker can reverse the hashes using precomputed rainbow tables or brute force to recover the plaintext username and password. No authentication or user interaction is required.
Impact
Successful exploitation results in full disclosure of administrative credentials, granting the attacker complete control over the device. This can lead to unauthorized access to the network, interception or modification of traffic, and further compromise of connected systems.
Mitigation
As of the publication date and available references, no firmware patch or workaround has been disclosed. Users are advised to restrict network access to the device login page and monitor for vendor updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Comba/AP2600-I devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.comba-telecom.com/en/newsmitrex_refsource_MISC
- www.trustwave.com/en-us/resources/security-resources/security-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.