http://www.theregister.co.uk/2015/04/09/no_moto_surfboard_modem_has_hardcoded_creds/

Oh no, Moto! Cable modem has hardcoded 'technician' backdoor

SOHOpeless router tosses your internet connection into the DMZ for max p0wn potential

9 Apr 2015 at 07:28, Richard Chirgwin

Researchers at Rapid7 have turned up a set of typically dumb vulnerabilities in Motorola's DOCSIS/EuroDOCSIS 3.0-capable SURFboard SBG 6580 cable broadband modem.

The device, which also ships under the Arris brand, has vulnerabilities included hardcoded login credentials that will allow an outside attacker to take control of the kit.

This goes beyond the usual “ooh hax0rs can get my modem” FUD, because once exploited, an attacker could drop a user's computer into the DMZ, leaving the machine naked to the outside world.

<snip>

The three vulnerabilities are:

• A cross-site request forgery tagged CVE-2015-0965 that lets an arbitrary site log in without the user's knowledge;
  
  
• At least one hard-coded backdoor, CVE-2015-0966, letting “technician” log in with the password yZgO8Bvj; and
  
  
• A cross-site scripting vulnerability in the firewall config page, CVE-2015-0964, letting attackers inject Javascript to do pretty much anything they want.
  

<snip>