Motorola Wimax CPE Multiple Vulnerabilities

The Motorola Wimax CPE (Shodan search) contains multiple vulnerabilities. I tested the following: Model ID: CPEi25890, Hardware Version: REV.B, version WMX04.

#1 Default Password

The initial GET request to the router will call a POST request to In the body of the response, the default password is shown. For the first time install, it is even auto-filled in for you too!


It looks like some ISPs may set a different password, but remote firmware updates may reset it based on this article. You can confirm the default password in the CPEi 725 Series manual too:

In the Password field, type the password (default is motorola)

#2 Stored XSS

An authenticated user can change the device name to include script code.

POST /cgi-bin/f1_fcgi_cgi.fcgi?timeStamp=1389922654157 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 161
Content-Type: text/html



#3 Default Wireless Passphrase?

The Wimax devices appear to come with a default wireless passphrase in addition to the device password.


The wifi_home.@WLANConfiguration[0].PreSharedKey1_KeyPassphrase is always motorola and the wifi_home.@WLANConfiguration[0].PreSharedKey2_KeyPassphrase is the user defined wireless password. Not sure if this means that ‘motorola’ is a backdoor password or just not used. Either way, it is sent over the network in cleartext when the /cgi-bin/f1_fcgi_cgi.fcgi script makes a call to /etc/www/html/wifi/wifi_security.html via the nextpage parameter.


Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: