Vodafone H500s WiFi Password Disclosure Vulnerability

A vulnerability exists in Vodafone H500s devices running firmware version 3.5.10 (hardware model Sercomm VFH500), allowing unauthenticated access to the WiFi access point password through an HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document containing the wifi_password field. This exposure of WiFi credentials could lead to unauthorized access to the wireless network, compromising the confidentiality of network traffic and connected systems.

Impact

Exploitation of this vulnerability allows for unauthorized access to the WiFi network by disclosing the WiFi password, which could lead to interception of network traffic and access to devices connected to the network.

Reproduction

To reproduce this vulnerability, send a GET request to the /data/activation.json endpoint of the affected device's IP address. Include the 'pageid' cookie set to '129' and the appropriate headers to mimic a request from a web browser. The response will contain a JSON document with the wifi_password field, revealing the WiFi password.