CVE-2019-19967
Description
The Administration page on Connect Box EuroDOCSIS 3.0 Voice Gateway CH7465LG-NCIP-6.12.18.25-2p6-NOSH devices accepts a cleartext password in a POST request on port 80, as demonstrated by the Password field to the xml/setter.xml URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Connect Box EuroDOCSIS 3.0 Voice Gateway transmits administrator credentials in cleartext over HTTP, enabling network-adjacent attackers to capture passwords.
Vulnerability
The Connect Box EuroDOCSIS 3.0 Voice Gateway CH7465LG-NCIP-6.12.18.25-2p6-NOSH exposes an administrative interface that transmits credentials in cleartext. When an administrator logs in via a POST request to the /xml/setter.xml URI over port 80, the Password field is sent as plaintext without encryption [1]. This affects all devices running firmware version 6.12.18.25-2p6-NOSH as discovered and reported by researchers [1].
Exploitation
An attacker with network access to the router's management interface (typically on the local LAN, or any position capable of sniffing traffic) can capture the cleartext administrator password by performing packet sniffing (e.g., with Wireshark) while an administrator submits the login form. The attacker does not need any prior authentication or special privileges beyond the ability to observe HTTP traffic. The vulnerability is triggered when the administrator accesses the administration page and submits the POST request [1].
Impact
Successful exploitation results in full disclosure of the administrator's cleartext password. The attacker can then gain administrative control over the device, potentially altering Wi‑Fi settings, DNS configurations, firewall rules, or other router parameters. This compromises the confidentiality and integrity of the network managed by the router. The confidentiality of the password itself is also directly violated [1].
Mitigation
The vendor (Connect Box / the device manufacturer) was contacted by the researcher, and the vulnerability was registered as CVE-2019-19967 [1]. As of the publication date, no firmware update has been publicly released to enforce encrypted communications (e.g., HTTPS) for the administration interface. Users should consider disabling remote administration and limiting access to the management interface only to trusted, physically secured networks. If the device is no longer supported, replacement with a security-updated model is recommended [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Connect Box/Connect Box EuroDOCSIS 3.0 Voice Gateway CH7465LG-NCIP-6.12.18.25-2p6-NOSHdescription
- Range: 6.12.18.25-2p6-NOSH
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Cleartext transmission of sensitive information — the administration page sends the password in plaintext over HTTP without encryption."
Attack vector
An attacker on the same local network as the router can sniff HTTP traffic to capture the administrator password. The router's administration page transmits credentials in cleartext via a POST request on port 80, with the password sent in the `Password` field to the `xml/setter.xml` URI [ref_id=1]. No encryption (e.g., HTTPS) is applied, and the authentication mechanism is described as simple Basic Authentication (Base64-encoded), which provides no real confidentiality [ref_id=1].
Affected code
The Administration page of the Connect Box EuroDOCSIS 3.0 Voice Gateway CH7465LG-NCIP-6.12.18.25-2p6-NOSH accepts credentials via a POST request on port 80. The vulnerable endpoint is the `xml/setter.xml` URI, where the `Password` field is transmitted in cleartext [ref_id=1].
What the fix does
The advisory does not include a published patch or firmware update from the manufacturer. The researcher states that the manufacturer was contacted and put in contact with the development team to assist in the improvement process, but no remediation details are provided [ref_id=1]. The recommended fix would be to enforce HTTPS for all administration traffic and to avoid transmitting passwords in cleartext or using only Base64 encoding.
Preconditions
- networkAttacker must be on the same local network as the router to sniff HTTP traffic.
- configThe router's administration interface must be accessible via HTTP on port 80.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.