Skip to content

Researcher finds now-patched flaws in Cox Modems

  • by
  • 2 min read

A security researcher found a set of now-patched authorisation bypass issues on Cox modems on Monday that may have been exploited to run malicious commands and gain unauthorised access to devices.

In a report published on June 3, Sam Curry, a security researcher, stated that the series of vulnerabilities enabled fully external attackers with no prerequisites to execute commands, modify settings of millions of modems, access any business customer’s personally identifiable information and acquire the same permissions as an internet service provider team.

While the authorisation bypass issues were addressed by the U.S. service provider, Cox Communications, in March 2024, there is no evidence that the issues were exploited in the meantime.

Curry’s analysis of the underlying operations revealed around 700 exposed API endpoints, including a ” profile search” endpoint that could be used to search and retrieve a customer’s business account details using only their name. It could also find the MAC addresses of connected hardware on their account and access and modify business customer accounts. Some endpoints can be exploited to get administrative functionality and repeatedly replay HTTP requests.

The start of the research traces back to the ability of Cox support agents to remotely control and update device settings such as the Wi-Fi password and view connected devices using the TR-069 protocol.

Curry’s research further found that it would be possible to overwrite a customer’s device settings with a cryptographic secret that is required to handle hardware modification requests.

The researcher reached out to Cox and shared details of the issues through the responsible disclosure page on March 4. “They investigated if the specific vector had ever been maliciously exploited in the past and found no history of abuse,” stated Curry. He further stated that the company had taken down the exposed API calls within six hours and started working on the authorisation vulnerabilities. He was unable to reproduce the vulnerabilities the next day.

Curry is an American ethical hacker who has previously disclosed many vulnerabilities, from API vulnerabilities in 16 major car brands to security flaws in that could allow attackers to access customer details and gain permissions to issue, manage, and transfer reward points.

In the News: Meta tests unskippable ‘Ad Breaks’ on Instagram; frustrates users

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: