eWON Devices Multiple Default Credentials

November 13, 2017

While researching the eWON devices I found their manuals had plenty of default credentials!

eWON 4000
Username: adm
Password: adm

eWON 2001, 2005, 2101, 4101
User Name:

eWON 500-2001-4001-4002
Login adm
Password adm

eWON 500
and adm/adm as User Name/Password.

eWON eBuddy
(default: adm/adm)

eWON Flexy
Username: adm
Password: adm

The default username & password are both “adm”

eWON eFive 25 & 100
At first login enter admin as the username and admin as the password.


Alcatel-Lucent OmniSwitch 6250 Switch sys_filesystem_info_si.html Multiple Parameter Stored XSS

March 1, 2016

The Alcatel-Lucent OmniSwitch 6250 Switch has a cross-site scripting (XSS) vulnerability in the /sys/content/sys_filesystem_info_si.html page (CVE-2016-78002). An authenticated user with permission to update the fields can inject arbitrary JavaScript into three fields that will be stored and displayed on /phys/content/phys_chs_info_stable.html when viewed. The fields/parameters are Contact (EmWeb_ns:mip:208.T1:O1 parameter), Name (EmWeb_ns:mip:209.T1:O2 parameter), Location (EmWeb_ns:mip:210.T1:O3 parameter) which are updated by a POST request.

The payload looks like:


Alcatel-Lucent OmniSwitch 6250 Switch Default Admin Credentials

February 28, 2016

Alcatel-Lucent OmniSwitch 6250 Switch can be managed via telnet console or HTTP via a utility they call WebView. The switch creates a default admin account for management according to the manual.

Startup Defaults
By default, a single user management account is available at the first bootup of the switch. This account
has the following user name and password:
• user name—admin
• password—switch


NOVUS SuperView New Application Default Admin Account

February 3, 2016

NOVUS Automation makes software called SuperView that “is a Supervisory Control and Data Acquisition software (SCADA) that brings to the user a visual development model to create applications. Besides communication with Modbus RTU and Modbus TCP devices, also is posible to use SuperView stations operating in Client or Server modes allowing distributed supervision of a process or system.” When creating a new application in the software a default admin account is also created:


NOVUS AirGate-3G Dual SIM Industrial Cellular VPN Router Default Admin Credentials

February 2, 2016

NOVUS Automation makes a variety of products for ICS and SCADA management. The NOVUS AirGate-3G Dual SIM Industrial Cellular VPN Router installs with a default admin account according to the manual:


LOYTEC Electronics Multiple Devices Web Interface Default Admin Credentials

February 1, 2016

LOYTEC electronics GmbH has a manuals download section on their site (requires authentication) showing the following devices have a default admin account:

  • L-DALI DALI Light Controller
  • L-INX Automation Server
  • L-GATE Universal Gateway
  • L-IP CEA-709/IP Router
  • L-VIS
  • LIOB-10x I/O Module
  • LIOB-x5x I/O Module
  • LIP-ME20X L-IP BACnet Router
  • LWEB-802
  • LWEB-803
  • LWEB-900 Building Management System


The L-Proxy CEA-709 Gateway has a different default:


BEC Technologies Multiple Devices Web Interface Default Admin Credentials

January 29, 2016

Basically every BEC Technologies device uses a web interface for device management and each one has the same default admin credentials:

Web Interface: (Username and Password)
Username: admin
Password: admin

The BiPAC 7800NL 802.11n ADSL2+ Firewall Router ships with multiple accounts:

Username: admin
Password: admin
Username: user
Password: user
Username: support
Password: support

Falcon USHA UPS SNMP HTTP Agent Default Admin Credentials

January 28, 2016

Falcon UPS devices use a SNMP HTTP agent for remote administration. According to the manual it comes with default admin credentials.

Click the Become Administrator button at the bottom of the screen. Enter USHA as the login name and admin as the password. (Case sensitive)


TerraMaster Storage Devices Web Interface Default Admin Credentials

January 27, 2016

TerraMaster storage devices come with default admin credentials according to the online installation guide. These include the WORM-Storage, F4-NAS, F2-NAS 2 and F2-C2O.



KZ Broadband iSurf 1004 / 1008 Multiple Vulnerabilities

January 26, 2016

KZ Broadband Technologies, LTD. iSurfTM 1004 and 1008 Integrated Access Devices install with a default admin account for the web interface according to the manual.


I confirmed this works on iSurf 1004 V2.10 B02D09 Pack 02, iSurf 1004 IAD V2.10 B02D09 Pack 03 and iSurf 1008+ V2.10 B02D09 Pack 23.

The router allows multiple accounts and offers different access levels making cross-site scripting a concern. There is a very basic XSS bug (CVE-2016-78001):

GET /en/cgi/SysSetContact.cgi?sys_contact=DF”><scr1pt>alert(‘DF’)</scr1pt> HTTP/1.1

The script will render on /en/sys_info.htm:

<td><textarea cols=”60″rows=”5″id=”contact”class=”select”></textarea>
<input type=”hidden”name=”sys_contact”value=”DF”><scr1pt>alert(‘DF’)</scr1pt>”>

Screenshot PoC: