MEDIUM: Open CWMP Report

DESCRIPTION LAST UPDATED: 2023-12-08

SEVERITY LEVEL: MEDIUM

This report identifies hosts that have the CPE WAN Management Protocol (CWMP) running and accessible on the Internet. It is unlikely this service needs to be exposed to the wider Internet. Vulnerabilities in CWMP services can be abused by IoT botnets, such as Mirai. Note: this report identifies only accessible services, not necessarily vulnerable ones. Nevertheless please block external access if you receive a report from us to reduce your potential attack surface – why wait for a vulnerability to be discovered?

See https://en.wikipedia.org/wiki/TR-069 for more information.

For more information on our scanning efforts, check out our Internet scanning summary page.

Severity levels are described here.

This report has an IPv4 and IPv6 version.

Filename(s): scan_cwmp, scan6_cwmp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the CWMP response came on (always TCP)
  • port
    Port that the CWMP response came from (7547/TCP or 30005/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    This will always be cwmp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • http
    Hypertext Transfer Protocol Version
  • http_code
    HTTP Response code: e.g., 200, 401, 404
  • http_reason
    The text reason to go with the HTTP Code
  • content_type
    The MIME type of the body of the request (used with POST and PUT requests)
  • connection
    Control options for the current connection and list of hop-by-hop request fields
  • www_authenticate
    Indicates the authentication scheme that should be used to access the requested entity
  • set_cookie
    The HTTP Cookie to be set
  • server
    CWMP Server type
  • content_length
    The length of the response body in octets
  • transfer_encoding
    The form of encoding used to safely transfer the entity to the user
  • date
    The date and time that the message was sent
  • sector
    Sector the device belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","http","http_code","http_reason","content_type","connection","www_authenticate","set_cookie","server","content_length","transfer_encoding","date","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,10001,node01.example.com,cwmp;http,64512,ZZ,Region,City,0,,HTTP/1.1,401,Unauthorized,"text/html; charset=ISO-8859-1",Keep-Alive,"Digest realm=\"\"ACSSimTool\"","nonce=\"\"VHVlIE5vdiAyOCAxNDo0Nzo1MCAyMDA2MS4xLjEuMTI1\"\"","opaque=\"\"5ccc069c403ebaf9f0171e9517f40e41\"\"","qop=\"\"auth\"\"\"",,,0
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,10001,node02.example.com,cwmp;http,64512,ZZ,Region,City,0,ptr,HTTP/1.1,401,Unauthorized,"text/html; charset=ISO-8859-1",Keep-Alive,"Digest realm=\"\"ACSSimTool\"","nonce=\"\"VHVlIE5vdiAyOCAxNDo0Nzo1MCAyMDA2MS4xLjEuMTI1\"\"","opaque=\"\"5ccc069c403ebaf9f0171e9517f40e41\"\"","qop=\"\"auth\"\"\"",,,0
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,10001,node03.example.com,cwmp;http,64512,ZZ,Region,City,0,,HTTP/1.1,401,Unauthorized,"text/html; charset=ISO-8859-1",Keep-Alive,"Digest realm=\"\"ACSSimTool\"","nonce=\"\"VHVlIE5vdiAyOCAxNDo0Nzo1MCAyMDA2MS4xLjEuMTI1\"\"","opaque=\"\"5ccc069c403ebaf9f0171e9517f40e41\"\"","qop=\"\"auth\"\"\"",,,0

Our 125 Report Types

« Back to Network Reporting