New firmware for Atom R9 Cat4 Gen2 CPEs has been released. This is a critical security update and we strongly recommend all customers upgrade immediately. The update addresses a security vulnerability that has been actively exploited in the field, resulting in compromised devices where the web interface becomes inaccessible.
If your devices are running BaiCE_BM_2.5.26.2 or any earlier 2.5.26.x build, you should upgrade to BaiCE_BM_2.5.26.33 without keeping settings (“Upgrade” without checking the Keep Settings box). This ensures removal of the vulnerable hardcoded account and resets any unauthorized configuration changes made by an attacker. If the web interface is unavailable but the CPE is connected to the OMC, you can attempt to perform the software upgrade from the OMC. Last recourse to recover an exploited CPE is to hold the physical reset button to reset the CPE.
Security Fixes in This Release
- Removed hardcoded username administrator
- Removed all stored usernames and passwords from configuration backup files
SUPPORTED HARDWARE:
- Atom OD04H (EG7035E)
- Atom OD04L (EG7035L)
- Atom ID04 (EG2030C)
Software Download: BaiCE_BM_2.5.26.33_NA
Module Firmware:
Changelog:
=========================
Version BaiCE_BM_2.5.26.33
-------------------------
New Features:
- Added: GRE L2
- Added: Support untagged VLAN for HaloBv2
Bug Fixes:
- Fixed: SNMP set parameter may fail
- Fixed: Model BM816 fails to attach when EDRX is enabled
Improvements:
- Improved: Hardcoded username "administrator" has been removed
- Improved: Username and password is removed from the config file