The Motorola Wimax CPE (Shodan search) contains multiple vulnerabilities. I tested the following: Model ID: CPEi25890, Hardware Version: REV.B, version WMX04.00.01.02.23
#1 Default Password
The initial GET request to the router will call a POST request to http://18.104.22.168./cgi-bin/f1_fcgi_cgi.fcgi. In the body of the response, the default password is shown. For the first time install, it is even auto-filled in for you too!
In the Password field, type the password (default is motorola)
#2 Stored XSS
An authenticated user can change the device name to include script code.
POST /cgi-bin/f1_fcgi_cgi.fcgi?timeStamp=1389922654157 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Encoding: gzip, deflate
#3 Default Wireless Passphrase?
The Wimax devices appear to come with a default wireless passphrase in addition to the device password.
The wifi_home.@WLANConfiguration.PreSharedKey1_KeyPassphrase is always motorola and the wifi_home.@WLANConfiguration.PreSharedKey2_KeyPassphrase is the user defined wireless password. Not sure if this means that ‘motorola’ is a backdoor password or just not used. Either way, it is sent over the network in cleartext when the /cgi-bin/f1_fcgi_cgi.fcgi script makes a call to /etc/www/html/wifi/wifi_security.html via the nextpage parameter.