A bunch of home gateway vendors, presumably sourcing their firmware from the same place, can be hijacked using depressingly common hard-coded logins.

As the Carnegie-Mellon CERT states, the vendors involved are ASUS and ZTE in Asia, European vendors Digicom and Observa Telecom, and carrier Philippine Long Distance Telephone (PLDT), which was presumably house-branding the kit.

All the affected devices have “XXXXairocon” as the telnet password, where the “XXXX” is the device's MAC address. For all but the PLDT device, the username is admin , while the PLDT username is adminpldt .

The vulnerability first turned up last year in the ZTE ZXV10 W300, and in May for the Observa Telecom on the Full Disclosure list.

Affected devices are:

Since nobody's patched the firmware, the CERT recommends blocking telnet and SNMP in firewall rules. ®