CVE-2023-39854
Description
The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ATX Ucrypt through 3.5 allows SSRF/LFI via a URL parameter, exploitable with default credentials.
Vulnerability
The web interface of ATX Ucrypt versions 3.5 and older contains a Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerability in the /hydra/view/get_cc_url endpoint. An authenticated attacker can supply a URL in the url parameter, causing the server to fetch remote resources or include local files. Default credentials exist for admin, master, and user accounts [1].
Exploitation
An attacker can exploit this by authenticating (or using default credentials) and making requests to /hydra/view/get_cc_url?board_id=1&url=<malicious_url>, where the URL can be a file:// URI for LFI or an https:// URI for SSRF. No additional privileges or user interaction required [1].
Impact
Successful exploitation allows an attacker to read arbitrary system files (e.g., /etc/passwd) and perform SSRF attacks to reach internal hosts. This can lead to information disclosure and further network compromise [1].
Mitigation
No official patch is available from ATX Networks; the vendor did not respond to disclosure attempts. Users should rotate all default credentials and audit user accounts. The CERT/CC case (VU#293164) was opened but no fix released [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ATX/Ucryptdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.