CVE-2019-11061: HG100 has a broken access control vulnerability in its Web API Server
First published: Thu Aug 29 2019(Updated: )
A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Credit: twcert@cert.org.tw
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ASUS HG100 firmware | <4.00.09 | |
| ASUS HG100 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-11061?
The severity of CVE-2019-11061 is critical with a CVSS 3.0 base score of 8.1.
What is the vulnerable software for CVE-2019-11061?
The vulnerable software for CVE-2019-11061 is ASUS HG100 firmware versions up to 4.00.06.
How can an attacker exploit CVE-2019-11061 vulnerability?
An attacker in the same local area network can control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication.
Is authentication required to exploit CVE-2019-11061?
No, authentication is not required to exploit CVE-2019-11061 vulnerability.
Is there a fix available for CVE-2019-11061?
Ensure to update the ASUS HG100 firmware to version 4.00.09 or newer to mitigate the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/asus
- canonical/asus hg100 firmware
- canonical/asus hg100