CVE-2021-40519

Vulnerability

The Airangel HSMX Gateway, versions through 5.2.04, contains hard-coded database credentials [1]. The credentials are embedded in the device firmware, enabling anyone with network access to the database port to authenticate without needing legitimate credentials. The affected product is the HSMX Gateway, which runs Airangel's ElevenOS platform for Wi-Fi authentication and performance management [1]. All firmware versions up to and including 5.2.04 are vulnerable.

Exploitation

An attacker with network access to the HSMX Gateway's database service (typically MySQL or MariaDB on the default port 3306) can attempt to connect using the well-known hard-coded credentials. No authentication bypass, user interaction, or elevated privileges are required beyond the ability to reach the database port. The attacker can connect directly using a database client and the hard-coded username and password.

Impact

Successful exploitation gives the attacker full read and write access to the backend database. This can lead to disclosure of sensitive information stored in the database, such as user credentials, Wi-Fi configuration data, guest lists, and possibly administrative passwords. The attacker may also modify or delete data, potentially causing denial of service or privilege escalation within the management interface.

Mitigation

Airangel has not publicly disclosed a fixed version for the HSMX Gateway as of the publication date [1]. Users should restrict network access to the database port (3306) using firewall rules to only trusted management hosts. If possible, change the default database credentials via the product's administrative interface or configuration files. Check the vendor's website or support portal for firmware updates that address this issue [1].