search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Philippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 contain multiple vulnerabilities

Vulnerability Note VU#525276

Original Release Date: 2015-08-31 | Last Revised: 2016-04-17


The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected.


PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991

The form2WlanSetup.cgi page does not properly authenticate that administrative actions are being performed on purpose. An attacker may lure a user behind the router to click a malicious link when performs administrative actions such as changing the device's network settings.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-5992

The form2WlanSetup.cgi page contains an "ssid" parameter which is vulnerable to cross-site scripting.

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-5993

The form2ping.cgi page may be used to send PING requests. An attacker may use this page to inject a large string (more than 1874 characters) in the parameter "ipaddr" with a POST request which may cause a denial of service on the router. The router requires manual rebooting to recover.

CWE-798: Use of Hard-coded Credentials

Both modems contain a hard-coded account named adminpldt with a hard-coded password. For more information, please see VU#950576.

The reporter also states that the BaudTec (300Mbps WLAN ADSL2+ Router) with firmware version RNR4_A72T_PLD_0.19 may also be vulnerable to the above vulnerabilities.

The CVSS score below is based on CVE-2015-5991.


A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.


The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information


Philippine Long Distance Telephone Affected

Notified:  June 02, 2015 Updated: August 28, 2015



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 7.4 AV:A/AC:M/Au:S/C:C/I:C/A:C
Temporal 6.3 E:POC/RL:U/RC:UR
Environmental 4.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Eskie Cirrus James Maquilang for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-5991, CVE-2015-5992, CVE-2015-5993
Date Public: 2015-08-31
Date First Published: 2015-08-31
Date Last Updated: 2016-04-17 23:16 UTC
Document Revision: 52

Sponsored by CISA.