Critical Vulnerability Information Vulnerability Description Title: Missing Authentication in Web Management Interface of Comet System Network Sensor Devices CWE-ID: CWE-306: Missing Authentication for Critical Function Affected Vendors Affected Vendor: Comet System Affected Products and Firmware Versions Model T7611: Firmware versions 1.5-7-5.1252 / 1.60 Model T4519: Firmware versions 1.5-7-5.1252 / 1.60 Model T8510: Firmware versions 1.6-7-5.1252 / 1.66 Model T8640: Firmware versions 1.5-7-5.1252 / 1.60 Model T3310: Firmware versions 1.5-7-5.1252 / 1.60 Model T3211: Firmware versions 1.5-7-2.1211 / 1.60 Model R8512: Firmware versions 4.5-8.0.3488 / 1.70 Model R8532: Firmware versions 6-6-8.1.3502 / 1.80 Model H3511: Firmware versions 9-5-0.1.1327 / 1.10 Vulnerability Details Through the default web management interface, attackers can bypass authentication and access the management settings page (http://:8083/Netpage/40) without providing credentials. This allows unauthenticated users to modify critical device settings, including: - Security configuration: Disable security features, set administrator/user passwords. - Web server control: Disable the embedded web server or change the listening port (default: 8082). - Network and alarm settings: Modify alarm thresholds, SNMP agent parameters, email notifications, and backup controls. - Service disruption: Change VTP synchronization, web refresh intervals, or factory reset the device. The vulnerability exists because the "Security" tab in SWW and Security settings is disabled by default, allowing unauthenticated access to protected functions. Although the interface provides options to enable security (including administrator/user passwords), this is not the default configuration. Impact Unauthorized configuration changes may lead to operational disruption (e.g., disabling alarms or network interfaces). Attackers may disable security controls, exfiltrate sensitive data, or deploy persistent backdoors. PoC Screenshots are provided demonstrating how to access the settings page via the default URL and make modifications.