High severityNVD Advisory· Published Nov 14, 2025· Updated Apr 15, 2026

CVE-2022-4985

Description

Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cxsecurity.com/issue/WLB-2022010024nvd
help.vodacom.co.za/personal/home/61/9493/1023659/Vodafone-H500s-WiFi-routernvd
www.exploit-db.com/exploits/50636nvd
www.vulncheck.com/advisories/vodafone-h500s-wifi-password-disclosure-via-activation-jsonnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000