PatchSiren cyber security CVE debrief
CVE-2015-6023 Netcommwireless CVE debrief
This issue affects NetCommWireless HSPA 3G10WVE routers running vulnerable firmware and involves ping.cgi accepting a direct request that bypasses intended access restrictions. NVD rates it as network-exploitable with no authentication or user interaction required, and the supplied description says it can be combined with CVE-2015-6024 to execute arbitrary commands. If these routers are still deployed and reachable from untrusted networks, treat them as a high-priority remediation target.
- Vendor
- Netcommwireless
- Product
- CVE-2015-6023
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-09
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-09
- Advisory updated
- 2026-05-13
Who should care
Network administrators, MSPs, and security teams responsible for NetCommWireless HSPA 3G10WVE routers, especially any device with exposed web management or legacy embedded deployments.
Technical summary
The NVD record assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L and maps the issue to CWE-284 (Improper Access Control). The vulnerable surface is ping.cgi, where a direct request bypasses intended access restrictions. NVD reference data also lists public mailing-list, advisory, and exploit references, indicating the issue was publicly discussed.
Defensive priority
High for any still-deployed or internet-reachable affected router; lower only if you can confirm the vulnerable firmware is absent and management interfaces are not exposed.
Recommended defensive actions
- Upgrade to firmware at or above 3G10WVE-L101-S306ETS-C01_R05, and verify the exact build on each device.
- Inventory all NetCommWireless HSPA 3G10WVE routers and confirm whether they are exposed to untrusted networks.
- Restrict management access to trusted admin networks or VPNs; block WAN access to router admin services and CGI endpoints.
- Review device logs and traffic for unexpected requests to ping.cgi and other administrative CGI paths.
- If patching is not immediately possible, segment or replace affected devices and reduce their exposure, especially where chaining with CVE-2015-6024 may be possible.
Evidence notes
The supplied NVD record states that ping.cgi allows remote attackers to bypass intended access restrictions via a direct request and assigns CWE-284. The reference list includes entries tagged as Exploit, Mailing List, Third Party Advisory, and VDB Entry (for example Packet Storm, Full Disclosure, and Exploit-DB), which supports public disclosure context without providing exploit detail here. The supplied data is not fully consistent on affected-version scope: the description says firmware before 3G10WVE-L101-S306ETS-C01_R05, while the NVD CPE criteria marks 3G10WVE-L101-S306ETS-C01_R03 as vulnerable.
Official resources
-
CVE-2015-6023 CVE record
CVE.org
-
CVE-2015-6023 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
- Source reference
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Public vulnerability record with external advisories and exploit references. The supplied timeline shows CVE publication on 2017-02-09 and last modification on 2026-05-13; NVD references include 2016 Full Disclosure and exploit-advisory era