Tuesday, March 4, 2025
Follow us On Linkedin
HomeComputer SecurityVerizon Fios Router Vulnerabilities Allows Attackers to Gain Complete Control Over the...

Verizon Fios Router Vulnerabilities Allows Attackers to Gain Complete Control Over the Network

Computer SecurityNetwork SecurityVulnerability

Published on

By Gurubaran
Verizon Fios Router Vulnerabilities Allows Attackers to Gain Complete Control Over the Network

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Security researchers at Tenable uncovered multiple flaws with Verizon Fios Quantum Gateway router that allows a remote attacker to gain complete access over the network.

By exploiting the vulnerability an attacker could sniff into victims network traffic and van exfiltrate personal and financial details.

Three vulnerabilities discovered in Verizon’s Fios Quantum Gateway routers.

  • CVE-2019-3914 – Authenticated Remote Command Injection
  • CVE-2019-3915 – Login Replay
  • CVE-2019-3916 – Password Salt Disclosure

Command Injection – CVE-2019-3914

The vulnerability can be triggered by adding a firewall access control rule with a crafted hostname. In order to perform the command injection the attacker to be authenticated to device web admin interface.

Chris Lyne explained a possible insider threat, remote attack scenario for the command injection Vulnerability.

An insider could determine the public IP address and from the sticker, in the router, they grab the default login credentials. By having the information they can log in with the router and enable Remote Administration.

Verizon Fios Quantum

By enabling the remote administration the attacker can exploit CVE-2019-3914 remotely and gain access to the network.

CVE-2019-3915 – Login Replay

HTTPS is not enforced for the router web admin interface Login URL, it allows an attacker in the same network to sniff the packets and to gain access over the web interface.

CVE-2019-3916 – Password Salt Disclosure

As the firmware doesn’t enforce the HTTPS, a local attacker can sniff the login request contains the salted password hash and could perform a dictionary attack to recover the original password.

These routers are supplied to all new Verizon Fios customers unless they elect to use their own router, which isn’t very common, said Chris Lyne. he outlined several potential attack scenarios.

Users of Verizon Fios routers are urged to updated with version 02.02.00.13 and the researchers also released PoC.

Related Read

MikroTik RouterOS Vulnerability Allows Hackers to Perform DOS Attacks

New DNS Hijacking Attack Exploiting DLink Routers to Target Netflix, PayPal, Uber, Gmail Users

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Press Release

Bubba AI, Inc. is Launching Comp AI to Help 100,000 Startups Get SOC 2 Compliant by 2032.

With the growing importance of security compliance for startups, more companies are seeking to...
CVE/vulnerability

IBM Storage Virtualize Flaws Allow Remote Code Execution

Two critical security flaws in IBM Storage Virtualize products could enable attackers to bypass...
CVE/vulnerability

Progress WhatsUp Gold Path Traversal Vulnerability Exposes Systems to Remote code Execution

A newly disclosed path traversal vulnerability (CVE-2024-4885) in Progress Software’s WhatsUp Gold network monitoring...
Cisco

CISA Alerts on Active Exploitation of Cisco Small Business Router Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning on March...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

CVE/vulnerability

IBM Storage Virtualize Flaws Allow Remote Code Execution

Two critical security flaws in IBM Storage Virtualize products could enable attackers to bypass...
CVE/vulnerability

Progress WhatsUp Gold Path Traversal Vulnerability Exposes Systems to Remote code Execution

A newly disclosed path traversal vulnerability (CVE-2024-4885) in Progress Software’s WhatsUp Gold network monitoring...
Cisco

CISA Alerts on Active Exploitation of Cisco Small Business Router Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning on March...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved