CVE-2019-15654

Vulnerability

Comba AC2400 devices (firmware versions prior to an unknown patched release) contain an information disclosure vulnerability in the web management server. A specially crafted request to /09/business/upgrade/upcfgAction.php?download=true downloads the DBconfig.cfg file without requiring any authentication. The cleartext login credentials are stored at the end of this file. [1]

Exploitation

An attacker with network access to the device's web management interface can send an HTTP GET request to the vulnerable endpoint. No authentication or prior knowledge is required. The attacker simply visits the URL http://<device_ip>/09/business/upgrade/upcfgAction.php?download=true and receives the full database configuration file, which includes plaintext credentials that are typically the device admin login. [1]

Impact

Successful exploitation allows an unauthenticated attacker to obtain the device's administrative login credentials in cleartext. This leads to full compromise of the Comba AC2400 device, including access to configuration settings, ability to change parameters, and potential use as a pivot point within the network. [1]

Mitigation

Comba has not publicly disclosed a fixed firmware version [2]. Users are advised to restrict network access to the web management interface to trusted hosts only, place the device behind a firewall, and monitor for unauthorized access. As of this writing, no patch is available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]