mofinetwork CVE Vulnerabilities & Metrics

Focus on mofinetwork vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About mofinetwork Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with mofinetwork. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total mofinetwork CVEs: 11
Earliest CVE date: 01 Feb 2021, 02:15 UTC
Latest CVE date: 08 Sep 2023, 03:15 UTC

Latest CVE reference: CVE-2021-27715

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical mofinetwork CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 6.65

Max CVSS: 10.0

Critical CVEs (≥9): 3

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	4
7.0-8.9	3
9.0-10.0	3

CVSS Distribution Chart

Top 5 Highest CVSS mofinetwork CVEs

These are the five CVEs with the highest CVSS scores for mofinetwork, sorted by severity first and recency.

CVE-2020-15836 mofinetwork Published on 01 Feb 2021, 02:15 UTC (CVSS: 10.0)
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function passes untrusted data to the operating system without proper sanitization. A crafted request can be sent to execute arbitrary commands as root.
CVE-2020-15835 mofinetwork Published on 01 Feb 2021, 02:15 UTC (CVSS: 10.0)
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function contains undocumented code that provides the ability to authenticate as root without knowing the actual root password. An adversary with the private key can remotely authenticate to the management interface as root.
CVE-2020-15833 mofinetwork Published on 01 Feb 2021, 02:15 UTC (CVSS: 10.0)
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The Dropbear SSH daemon has been modified to accept an alternate hard-coded path to a public key that allows root access. This key is stored in a /rom location that cannot be modified by the device owner.
CVE-2020-15832 mofinetwork Published on 01 Feb 2021, 02:15 UTC (CVSS: 7.8)
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The poof.cgi script contains undocumented code that provides the ability to remotely reboot the device. An adversary with the private key (but not the root password) can remotely reboot the device.
CVE-2020-13857 mofinetwork Published on 01 Feb 2021, 02:15 UTC (CVSS: 7.8)
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request.

All CVEs for mofinetwork

CVE-2021-27715 mofinetwork vulnerability CVSS: 0 08 Sep 2023, 03:15 UTC

An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the authentication and execute arbitrary code via crafted HTTP request.

CVE-2020-15836 mofinetwork vulnerability CVSS: 10.0 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function passes untrusted data to the operating system without proper sanitization. A crafted request can be sent to execute arbitrary commands as root.

CVE-2020-15835 mofinetwork vulnerability CVSS: 10.0 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function contains undocumented code that provides the ability to authenticate as root without knowing the actual root password. An adversary with the private key can remotely authenticate to the management interface as root.

CVE-2020-15834 mofinetwork vulnerability CVSS: 5.0 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management interface.

CVE-2020-15833 mofinetwork vulnerability CVSS: 10.0 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The Dropbear SSH daemon has been modified to accept an alternate hard-coded path to a public key that allows root access. This key is stored in a /rom location that cannot be modified by the device owner.

CVE-2020-15832 mofinetwork vulnerability CVSS: 7.8 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The poof.cgi script contains undocumented code that provides the ability to remotely reboot the device. An adversary with the private key (but not the root password) can remotely reboot the device.

CVE-2020-13860 mofinetwork vulnerability CVSS: 5.0 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password.

CVE-2020-13859 mofinetwork vulnerability CVSS: 5.0 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature.

CVE-2020-13858 mofinetwork vulnerability CVSS: 7.5 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password is not unique across installations.

CVE-2020-13857 mofinetwork vulnerability CVSS: 7.8 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request.

CVE-2020-13856 mofinetwork vulnerability CVSS: 5.0 01 Feb 2021, 02:15 UTC

An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes.