Experts Found a Flaw Present in Different Modem Brands

Cybersecurity researchers from Lyrebirds recently discovered the existence of Cable Haunt, a vulnerability in modems from various manufacturers, said Tom’s Hardware. In Europe alone, the issue is expected to affect hundreds and thousands of modems.

Cable Haunt, or CVE-2019-19494, is exploitable by hackers, allowing them to intercept messages, even when sent through private channels. Attacks could also redirect traffic and participate in botnets.

According to experts, the security flaw occurs only in a local network. This means that potential attacks could only happen locally. However, an “improper websocket usage” allows remote players to abuse the vulnerability.

Flaw Present in Different Modem Brands


Experts also emphasized that manufacturers that produced modems affected by Cable Haunt share some code with one another. Threat Post revealed that brands involved include Arris, Netgear, COMPAL, Sagemcom, and Technicolor, among others.

The flaw stemmed from a reference software written by Broadcom, which was then copied by the aforementioned firms. The reference software was then incorporated into the firmware of various devices.

A technical paper written by the researchers revealed that the concerned modems are “vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality.” In order to replicate the flaw, the experts demonstrated the attack using a proof-of-concept (PoC) exploit.

The PoC exploit was done by compromising the spectrum analyzer of the modem, allowing local access. The researchers then performed a DNS rebind attack to gain remote access to the compromised component.

Tom’s Hardware listed down models that are confirmed to be affected by Cable Haunt. This includes Sagemcom F@st 3890, Sagemcom F@st 3686 with FW50.10.19, Technicolor TC7230, Netgear C6250EMR, Sagemcom F@st 3890, Sagemcom F@st 3686 with FW 4.83.0, COMPAL 7284E, COMPAL 74 86E and Netgear CG3700EMR.


There are other modems suspected to be vulnerable to the bug, no confirmation from internet service providers has been given. This includes Technicolor TC440, Arris Surfboard SB8200, Arris Surfboard CM8200A, Arris Surfboard SB6813, Netgear CM1000, Humax HGB10R-02 and Technicolor TC7300.

Users are reminded that specific firmware versions can be exploited with Cable Haunt. To check whether a specific model can be exploited using the bug, the Lyrebirds researchers advised consumers to get in touch with the manufacturers for confirmation. The team also released a test script, which consumers can use to check their modems.

Meanwhile, reports highlight that the vulnerability was made public even before a solution was created. However, Lyrebirds deemed it important to gain as much attention as possible to prevent a large-scale attack.