search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Seowon Intech WiMAX SWU-9100 mobile router contains multiple vulnerabilities

Vulnerability Note VU#431726

Original Release Date: 2014-02-03 | Last Revised: 2014-02-11


Seowon Intech WiMAX SWU-9100 mobile routers contain command injection (CWE-77) and direct request (CWE-425) vulnerabilities.


Seowon Intech WiMAX SWU-9100 mobile routers contain command injection (CWE-77) and direct request (CWE-425) vulnerabilities.

CVE-2013-7183 - CWE-425: Direct Request ('Forced Browsing')
A remote unauthenticated attacker may factory reset or reboot the router by visiting a specific URL.

CVE-2013-7179 - CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
The following is a proof-of-concept for the command injection vulnerability.
curl -v --data "select_mode_ping=on&ping_ipaddr=>/dev/null; ls -lash /etc%23&ping_count=1&action=Apply&html_view=ping" "http://[IP_Router]/cgi-bin/diagnostic.cgi" > /dev/null

The CVSS score below is for CVE-2013-7179.


A remote unauthenticated attacker may be able to inject commands, reboot, or may perform a factory reset on the device.


We are currently unaware of a practical solution to this problem. Please consider the following workaround.

Restrict Access

Enable firewall rules so only trusted sources may access the device. Do not allow web administration from the WAN interface.

Vendor Information


Seowon Intech Inc Affected

Notified:  January 09, 2014 Updated: February 03, 2014



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 6.4 E:POC/RL:W/RC:UC
Environmental 1.6 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Josue Rojas for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-7179, CVE-2013-7183
Date Public: 2014-02-03
Date First Published: 2014-02-03
Date Last Updated: 2014-02-11 21:03 UTC
Document Revision: 22

Sponsored by CISA.