Posted by David Longenecker on Apr 04

ARRIS (formerly Motorola) SURFboard 6141 broadband cable modems, with the
latest firmware deployed by Time Warner Cable, have a LAN-side web UI with
a fixed IP address, that does not require authentication, and a cross site
request forgery vulnerability through which it is possible to reboot the
modem with one click.

It is also possible to factory reset the modem with a simple
unauthenticated URL. This causes a longer outage while the modem…