CVE-2022-36558

Vulnerability

Seiko SkyBridge MB-A100 and MB-A110 routers running firmware version 4.2.0 and below contain a hard-coded passcode for the root account. The passcode is stored in plaintext in the file /etc/ciel.cfg. This file is readable by authenticated users and potentially by unauthenticated attackers if exposed via services. Affected models: MB-A100 and MB-A110, firmware ≤4.2.0 [1].

Exploitation

An attacker can obtain the hard-coded root passcode by reading the /etc/ciel.cfg file. If the attacker has local or remote access to the device (e.g., via an exposed service or a low-privilege shell), they can retrieve the passcode and then log in as root with full administrative privileges. No additional authentication is needed to read the file if permissions allow.

Impact

Successful exploitation allows an attacker to gain root-level access to the affected router. This can lead to complete compromise of the device, including unauthorized configuration changes, data exfiltration, denial of service, or use as a pivot point for further network attacks.

Mitigation

Seiko Solutions has released a firmware update to address this issue. Users should upgrade to firmware version 4.2.1 or later. The vulnerability is not listed in the KEV catalog as of the publication date. If unable to upgrade, restrict network access to the device and monitor for unauthorized access attempts.