CVE-2020-11447

Vulnerability

An information disclosure vulnerability exists in the Bell HomeHub 3000 (model SG48222070) firmware. The /cgi/json-req endpoint returns the device's serial number to any remote authenticated user, without requiring proof of physical access. The serial number is intended to verify that an actor is physically near the device, but the API does not enforce any such constraint. The issue affects the Bell HomeHub 3000; the same code path may exist in Home Hub 2000 and above models [1] but the CVE scope is limited to the 3000.

Exploitation

An attacker must have valid credentials (username/password) to the Home Hub's web interface. With those, they can send a crafted HTTP request to /cgi/json-req and retrieve the serial number in the response. No special network position is required beyond being able to reach the device over the LAN or WAN if remote management is enabled.

Impact

Successful exploitation leaks the device's serial number, which is a unique hardware identifier. The serial number is intended to prove that a support or management action is being performed by someone with physical access. Leaking it may allow an attacker to impersonate the device owner in support interactions or use the serial number in further attacks that rely on knowledge of that identifier. No other data (passwords, configuration) is disclosed via this particular endpoint.

Mitigation

As of the publication date (2023-11-17), no firmware patch or official mitigation has been announced by Bell for the HomeHub 3000. Users can reduce exposure by avoiding remote administration, using strong passwords, and restricting network access to the management interface. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.