“An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication,” Cisco said today. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”
Note that “administrator” was italicized by the networking giant. Super serious.
Cisco pitches Prime Home as a “solution” for ISPs and connected device vendors, allowing companies to control devices such as ISP-issued cable modems, routers, and set top boxes in subscribers’ homes from afar. It uses “Broadband Forum’s TR-069 suite of protocols to provision and manage in-home devices.”
That means that a successful attack on an ISP’s installation of Prime Home would allow a criminal to take administrator-level control of the Prime Home GUI and meddle with all the devices connected to that particular service. As there are no workarounds or mitigations for the bug, Cisco is recommending that administrators install the update as soon as possible.