CVE-2016-10305

Name: CVE-2016-10305
Creator: NVD / NIST
Published: 2017-03-30T07:59:00.143+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 1.69%

Last modified Jun 17, 2026

CVE-2016-10305 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPlus <= 3.2.0, Giga <= 2.6.1, GigaLynx < 2.0, GigaOrion < 2.0, GigaPlus <= 3.2.3, GigaPro <= 1.4.1, StrataLink < 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.. EPSS estimates a 1.69% chance of exploitation in the next 30 days.

Description

Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPlus <= 3.2.0, Giga <= 2.6.1, GigaLynx < 2.0, GigaOrion < 2.0, GigaPlus <= 3.2.3, GigaPro <= 1.4.1, StrataLink < 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.69%

74.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-798

Affected Software

Vendor	Product	Versions
Gotrango	Apex Plus Firmware	<= 3.2.0
Gotrango	Apex Firmware	<= 2.1.1
Gotrango	Apex Lynx Firmware	<= 1.2.3
Gotrango	Apex Orion Firmware	<= 1.2.3
Gotrango	Giga Firmware	<= 2.6.1
Gotrango	Giga Lynx Firmware	<= 1.2.3
Gotrango	Giga Orion Firmware	<= 1.2.3
Gotrango	Giga Plus Firmware	<= 3.2.3
Gotrango	Giga Pro Firmware	<= 1.4.1
Gotrango	Stratalink Pro Firmware	All versions
Gotrango	Stratalink Firmware	<= 2.2.0

References

http://blog.iancaling.com/post/153011925478Exploit, Third Party Advisory
http://blog.iancaling.com/post/153011925478Exploit, Third Party Advisory

Timeline

Published: Mar 30, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-10305?

How severe is CVE-2016-10305?

CVE-2016-10305 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.69% probability of exploitation in the next 30 days.

How do I fix CVE-2016-10305?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-10305?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST