CVE-2022-4985

Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems.

CVSS

No CVSS.

References

Link	Resource
https://cxsecurity.com/issue/WLB-2022010024
https://help.vodacom.co.za/personal/home/61/9493/1023659/Vodafone-H500s-WiFi-router
https://www.exploit-db.com/exploits/50636
https://www.vulncheck.com/advisories/vodafone-h500s-wifi-password-disclosure-via-activation-json
https://cxsecurity.com/issue/WLB-2022010024
https://www.exploit-db.com/exploits/50636

Configurations

No configuration.

History

18 Nov 2025, 17:15

Type	Values Removed	Values Added
References	~~() https://cxsecurity.com/issue/WLB-2022010024 -~~	() https://cxsecurity.com/issue/WLB-2022010024 -
References	~~() https://www.exploit-db.com/exploits/50636 -~~	() https://www.exploit-db.com/exploits/50636 -

14 Nov 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-14 23:15

Updated : 2025-11-18 17:15

NVD link : CVE-2022-4985

Mitre link : CVE-2022-4985

CVE.ORG link : CVE-2022-4985

JSON object : View

Products Affected

No product.

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

{"id": "CVE-2022-4985", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "disclosure@vulncheck.com"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-14T23:15:43.447", "references": [{"url": "https://cxsecurity.com/issue/WLB-2022010024", "source": "disclosure@vulncheck.com"}, {"url": "https://help.vodacom.co.za/personal/home/61/9493/1023659/Vodafone-H500s-WiFi-router", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/50636", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/vodafone-h500s-wifi-password-disclosure-via-activation-json", "source": "disclosure@vulncheck.com"}, {"url": "https://cxsecurity.com/issue/WLB-2022010024", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/50636", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-497"}]}], "descriptions": [{"lang": "en", "value": "Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document that contains the wifi_password field. This allows an unauthenticated attacker to obtain the WiFi credentials and gain unauthorized access to the wireless network, compromising confidentiality of network traffic and attached systems."}], "lastModified": "2025-11-18T17:15:57.493", "sourceIdentifier": "disclosure@vulncheck.com"}