Hackers may be able to remotely take complete control of cable modems from various manufacturers due to a critical vulnerability affecting a middleware component shipped with some Broadcom chips.
The vulnerability, dubbed Cable Haunt and tracked as CVE-2019-19494, was identified by researchers from Lyrebirds and an independent expert. They’ve reproduced the attack on ten cable modems from Sagemcom, Netgear, Technicolor and COMPAL, but other manufacturers also likely use the Broadcom chip containing the vulnerability.
The researchers estimate that 200 million modems were initially affected by this vulnerability in Europe alone. However, over the past year they have been notifying affected ISPs — cable modems are typically provided to internet users by ISPs — and four companies in Denmark and Norway have reported patching their devices after being notified.
The flaw is related to a tool called spectrum analyzer, which uses a websocket to communicate with the device’s graphical interface in the browser. The vulnerable tool is only exposed to the local network, but Cable Haunt attacks can also be launched from the internet by getting the targeted user to visit a malicious website or a site that serves malicious ads.
A hacker can set up a website that launches a DNS rebinding attack to gain access to the local network and execute the Cable Haunt exploit. DNS rebinding allows a remote hacker to abuse a targeted user’s web browser to directly communicate with devices on the local network — in this case with the cable modem.
The researchers who discovered Cable Haunt explained that cross-origin resource sharing (CORS) in the browser should prevent such attacks, but they discovered that all of the tested modems were vulnerable to DNS rebinding.
Once the attacker has gained remote access to a modem, they can exploit a buffer overflow vulnerability in the spectrum analyzer component to execute arbitrary code on the device. An attacker could change DNS and other settings, conduct man-in-the-middle (MitM) attacks, change the device’s firmware, obtain information about the device, and make the modem part of a botnet, the researchers said.
While in some cases the modems require authentication before accepting requests, the researchers found that all the tested devices have default credentials that can be used for this purpose. It’s worth noting that these are not the credentials for the device’s administration panel, but for the spectrum analyzer tool.
The researchers have made their findings public, including by setting up a dedicated website and publishing a detailed research paper, in an effort to raise awareness of the vulnerability and the risks. They have also released a proof-of-concept (PoC) exploit that can be used to determine if a device is vulnerable.
Related: Credential Leaking Vulnerabilities Impact Comba, D-Link Routers
Related: Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
