LiveActive security incident?Get immediate response
CVE Record

CVE-2016-15056: Ubee EVW3226 Unauthenticated Backup File Disclosure

Ubee EVW3226 cable modem/routers firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. These backup files remain accessible without authentication until the next reboot. A remote attacker on the local network can request 'Configuration_file.cfg' directly to obtain the backup archive. Because backup files are not encrypted, they expose sensitive information including the plaintext admin password, allowing full compromise of the device.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

A flaw in Ubee EVW3226 cable modem/routers leaves a configuration backup file sitting in the device's web folder after it's generated. Anyone on the local network can download it without logging in, and the file contains the admin password in plain text, handing over full control of the device.

Executive priority

Treat as high priority for any environment that still operates Ubee EVW3226 gateways, especially in offices, branch sites, or shared-tenant Wi-Fi. A single LAN-resident attacker can take full control of the gateway and the network behind it; coordinate with the ISP to confirm firmware status or replace the hardware.

Technical view

Firmware versions up to 1.0.20 of the Ubee EVW3226 write the generated backup archive to the web root and leave it accessible until reboot. An unauthenticated request for 'Configuration_file.cfg' returns the unencrypted archive, which discloses the plaintext administrative credentials, enabling full device takeover (CWE-538, sensitive information in resource not removed before reuse).

Likely exposure

Exposure is limited to attackers with access to the LAN side of an affected EVW3226 (guest Wi-Fi user, malicious insider, compromised host, or chained internal pivot). The CVE record lists vendor and product but does not enumerate all firmware builds, so any EVW3226 not confirmed updated should be treated as potentially vulnerable.

Exploitation context

Public exploit material exists (Exploit-DB 40156, Full-Disclosure post, SEARCH-LAB advisory) describing the unauthenticated retrieval path. CISA KEV does not list this CVE, and the sources do not document active in-the-wild exploitation, but the technique is trivial and well-published.

Researcher notes

CWE-538 information disclosure with CVSS v4.0 8.7 (AV:N/AC:L/PR:N/UI:N, VC:H). Backup file 'Configuration_file.cfg' lingers in web root until reboot; archive is unencrypted and exposes admin credentials. CVE record (published 2025-11-14, updated 2026-04-07) does not enumerate fixed firmware - sources only confirm vulnerable through 1.0.20. No KEV listing; reachability is LAN-adjacent, but operator-managed CPE often has weak segmentation between subscribers.

Mitigation direction

  • Inventory ISP-supplied or self-managed Ubee EVW3226 devices and identify firmware versions in use.
  • Engage the cable operator or Ubee for current firmware guidance, since no fixed version is named in cited sources.
  • Restrict LAN-side HTTP access to the modem to trusted management hosts or VLANs.
  • Reboot affected devices after any backup operation to clear the residual file from the web root.
  • Rotate the device admin password and any credentials reused elsewhere if backup retrieval cannot be ruled out.
  • Where feasible, replace end-of-life EVW3226 hardware with a vendor-supported gateway.

Validation and detection

  • Confirm device model and firmware version via the modem's admin UI or operator portal.
  • From a LAN host, attempt an unauthenticated HTTP GET for the configuration backup path referenced in the public advisories.
  • Review HTTP and access logs for unexpected requests to the configuration backup filename.
  • After remediation, retest the same request path and confirm it no longer returns a configuration archive.
  • Verify that no copy of the unencrypted backup archive persists on the device or in management workstations.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-538: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2016-15056 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2016-15056Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Ubee InteractiveUbee EVW32260unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.