CVE-2016-15056

Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessible without authentication until the next reboot. A remote attacker on the local network can request 'Configuration_file.cfg' directly to obtain the backup archive. Because backup files are not encrypted, they expose sensitive information including the plaintext admin password, allowing full compromise of the device.

CVSS

No CVSS.

References

Link	Resource
https://seclists.org/fulldisclosure/2016/Jul/66
https://web.archive.org/web/20160403014231/http://www.ubeeinteractive.com/products/cable/evw3226
https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities
https://www.exploit-db.com/exploits/40156
https://www.vulncheck.com/advisories/ubee-evw3226-unauthenticated-backup-file-disclosure
https://seclists.org/fulldisclosure/2016/Jul/66
https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities
https://www.exploit-db.com/exploits/40156

Configurations

No configuration.

History

18 Nov 2025, 17:15

Type	Values Removed	Values Added
References	~~() https://seclists.org/fulldisclosure/2016/Jul/66 -~~	() https://seclists.org/fulldisclosure/2016/Jul/66 -
References	~~() https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities -~~	() https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities -
References	~~() https://www.exploit-db.com/exploits/40156 -~~	() https://www.exploit-db.com/exploits/40156 -

14 Nov 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-14 23:15

Updated : 2025-11-18 17:15

NVD link : CVE-2016-15056

Mitre link : CVE-2016-15056

CVE.ORG link : CVE-2016-15056

JSON object : View

Products Affected

No product.

CWE

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

{"id": "CVE-2016-15056", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-14T23:15:41.687", "references": [{"url": "https://seclists.org/fulldisclosure/2016/Jul/66", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20160403014231/http://www.ubeeinteractive.com/products/cable/evw3226", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40156", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ubee-evw3226-unauthenticated-backup-file-disclosure", "source": "[email protected]"}, {"url": "https://seclists.org/fulldisclosure/2016/Jul/66", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilities", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/40156", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-538"}]}], "descriptions": [{"lang": "en", "value": "Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessible without authentication until the next reboot. A remote attacker on the local network can request 'Configuration_file.cfg' directly to obtain the backup archive. Because backup files are not encrypted, they expose sensitive information including the plaintext admin password, allowing full compromise of the device."}], "lastModified": "2025-11-18T17:15:56.507", "sourceIdentifier": "[email protected]"}