VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 18, 2019· Updated Aug 4, 2024

CVE-2019-3496

CVE-2019-3496

Description

Hardcoded credentials in Wifi-soft UniBox controller 3.x allow unauthenticated remote command execution as root.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hardcoded credentials in Wifi-soft UniBox controller 3.x allow unauthenticated remote command execution as root.

Vulnerability

The vulnerability exists in the tools/controller/diagnostic_tools_controller endpoint of Wifi-soft UniBox controller version 3.x. The controller does not properly validate authentication, and hardcoded credentials can be used to bypass authentication, allowing an attacker to execute arbitrary system commands on the server with root privileges. [1]

Exploitation

An attacker can exploit this by using the hardcoded credentials to authenticate to the diagnostic tools controller, then send crafted requests to execute arbitrary commands. No user interaction is required, and the attacker only needs network access to the controller's web interface. [1]

Impact

Successful exploitation results in remote command execution as the root user, leading to full compromise of the device. The attacker can read, modify, or delete any data, install malware, or pivot to other network resources. [1]

Mitigation

As of the publication date (2019-03-18), no patch was available. Users should restrict network access to the UniBox controller and monitor for unauthorized access. The vendor may have released a fix in later versions; consult the vendor advisory. [1]

References
  1. Packet Storm

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.