Home

Description

Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems.

PUBLISHED Reserved 2025-11-14 | Published 2025-11-14 | Updated 2025-11-18 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Product status

Default status
unknown

Any version
affected

Timeline

2022-01-05:ExploitDB-50636 is publicly disclosed.

Credits

Daniel Monzón (stark0de) finder

References

cxsecurity.com/issue/WLB-2022010024 exploit

www.exploit-db.com/exploits/50636 exploit

www.exploit-db.com/exploits/50636 exploit

cxsecurity.com/issue/WLB-2022010024 exploit

help.vodacom.co.za/...493/1023659/Vodafone-H500s-WiFi-router product

www.vulncheck.com/...password-disclosure-via-activation-json third-party-advisory

cve.org (CVE-2022-4985)

nvd.nist.gov (CVE-2022-4985)

Download JSON