Security readout for executives and security teams
Plain-English summary
A flaw in Ubee EVW3226 cable modem/routers leaves a configuration backup file sitting in the device's web folder after it's generated. Anyone on the local network can download it without logging in, and the file contains the admin password in plain text, handing over full control of the device.
Executive priority
Treat as high priority for any environment that still operates Ubee EVW3226 gateways, especially in offices, branch sites, or shared-tenant Wi-Fi. A single LAN-resident attacker can take full control of the gateway and the network behind it; coordinate with the ISP to confirm firmware status or replace the hardware.
Technical view
Firmware versions up to 1.0.20 of the Ubee EVW3226 write the generated backup archive to the web root and leave it accessible until reboot. An unauthenticated request for 'Configuration_file.cfg' returns the unencrypted archive, which discloses the plaintext administrative credentials, enabling full device takeover (CWE-538, sensitive information in resource not removed before reuse).
Likely exposure
Exposure is limited to attackers with access to the LAN side of an affected EVW3226 (guest Wi-Fi user, malicious insider, compromised host, or chained internal pivot). The CVE record lists vendor and product but does not enumerate all firmware builds, so any EVW3226 not confirmed updated should be treated as potentially vulnerable.
Exploitation context
Public exploit material exists (Exploit-DB 40156, Full-Disclosure post, SEARCH-LAB advisory) describing the unauthenticated retrieval path. CISA KEV does not list this CVE, and the sources do not document active in-the-wild exploitation, but the technique is trivial and well-published.
Researcher notes
CWE-538 information disclosure with CVSS v4.0 8.7 (AV:N/AC:L/PR:N/UI:N, VC:H). Backup file 'Configuration_file.cfg' lingers in web root until reboot; archive is unencrypted and exposes admin credentials. CVE record (published 2025-11-14, updated 2026-04-07) does not enumerate fixed firmware - sources only confirm vulnerable through 1.0.20. No KEV listing; reachability is LAN-adjacent, but operator-managed CPE often has weak segmentation between subscribers.
Mitigation direction
- Inventory ISP-supplied or self-managed Ubee EVW3226 devices and identify firmware versions in use.
- Engage the cable operator or Ubee for current firmware guidance, since no fixed version is named in cited sources.
- Restrict LAN-side HTTP access to the modem to trusted management hosts or VLANs.
- Reboot affected devices after any backup operation to clear the residual file from the web root.
- Rotate the device admin password and any credentials reused elsewhere if backup retrieval cannot be ruled out.
- Where feasible, replace end-of-life EVW3226 hardware with a vendor-supported gateway.
Validation and detection
- Confirm device model and firmware version via the modem's admin UI or operator portal.
- From a LAN host, attempt an unauthenticated HTTP GET for the configuration backup path referenced in the public advisories.
- Review HTTP and access logs for unexpected requests to the configuration backup filename.
- After remediation, retest the same request path and confirm it no longer returns a configuration archive.
- Verify that no copy of the unencrypted backup archive persists on the device or in management workstations.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-538: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCredential and access behavior lookup
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2016-15056 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 8.7 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
8.7HighVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.exploit-db.com/exploits/40156CVE reference · exploit
- https://seclists.org/fulldisclosure/2016/Jul/66CVE reference · exploit
- https://web.archive.org/web/20160726145043/http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-multiple-vulnerabilitiesCVE reference · technical-description, exploit
- https://web.archive.org/web/20160403014231/http://www.ubeeinteractive.com/products/cable/evw3226CVE reference · product
- https://www.vulncheck.com/advisories/ubee-evw3226-unauthenticated-backup-file-disclosureCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
