Fuze has patched several vulnerabilities discovered by Rapid7 researchers in a component of its cloud-based unified communications platform. The flaws could have been exploited to obtain sensitive data and launch brute-force attacks on the administration interface.
The security holes affected the Fuze platform’s TPN handset customer portal hosted at mb.thinkingphones.com/tpn-portlet. One of the flaws allowed a remote, unauthenticated attacker to obtain information about Fuze customers by providing a valid MAC address on a specific webpage.
While there are many MAC addresses in the world and finding one that belongs to a Fuze customer might seem difficult, the range of potentially valid addresses can be easily enumerated knowing that Fuze supports Polycom and Yealink phones, which have a specific subnet of addresses.
Providing a Fuze user’s MAC address on the webpage resulted in a response from the server containing the customer’s email address, phone number, a link to the admin portal, and account information, including location data.
Once on the administration portal, an attacker would have had two options for obtaining the admin code needed to access a user’s account. One of them involved intercepting HTTP network traffic between the handset and the admin portal, which included the code. The second option involved launching a brute-force attack on the login page, as the number of authentication attempts was not limited.
The vulnerabilities were reported to Fuze in April and they were all patched by May 6. The vendor now limits the number of authentication attempts, restricts access to the MAC page, and traffic is now protected against snooping. Since all the fixes are on the server side, no action needs to be taken by users and no CVE identifiers have been assigned.
“As users of the entire Fuze platform, Rapid7’s team identified security weaknesses and responsibly disclosed them to the Fuze security team. In this case, while the exposure was a limited set of customer data, Fuze took immediate action upon receiving notification by Rapid7, and remediated the vulnerabilities with its handset provisioning service, in full, within two weeks,” said Chris Conry, CIO of Fuze.
Conry pointed out that there is no evidence of attacks exploiting these vulnerabilities in the wild.
Related: Rapid7 Appointed CVE Numbering Authority
Related: Serious Flaw Found in Comcast’s Xfinity Home Security System
Related: Flaws in Hyundai App Allowed Hackers to Steal Cars

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
