Critical Zero-Day Exploit in Excitel Genesis Routers: A Story of Vulnerability and Exploitation

The story begins during the early days of the COVID-19 lockdown, when everyone was confined to their homes, and the demand for reliable internet skyrocketed. I, like many others, began exploring various broadband options, and that's when I came across Excitel. Their fiber optic internet service was attractively priced, so I decided to give it a try.

However, what I soon discovered was far more than just an affordable broadband service—it was a critical vulnerability hidden in plain sight.

Excitel routers, which utilize Genesis hardware, offer dual-band Wi-Fi, allowing users to connect via 2.4GHz or 5GHz frequencies. However, there was a mysterious third SSID in the list called "www.excitel.com".

Initially, I thought it was a clever marketing tactic, making users think there were multiple Excitel routers around. But upon closer inspection, I noticed that this SSID didn’t actually provide internet access. What seemed like a harmless placeholder turned out to be the key to a much bigger problem.

The Discovery: Gaining Access via the Hidden SSID

Curiosity got the better of me, so I decided to dig deeper. Using random login attempts, I managed to crack the password for the "www.excitel.com" SSID—it was simply 11223344. While this network didn’t provide internet access, I was able to access the router's admin panel via the default gateway address (commonly 192.168.1.1 or 192.168.1.0).

Here’s where things started to get interesting. The Excitel router had two default profiles:

1. Admin – with standard admin access.

2. Excitel – with super admin privileges.

Excitel routers use Genesis routers with the following software details:

Software Version: T2122-V1.26EXU

Using these credentials (the default password for the "excitel" profile was exc@123), I gained access to the full admin panel. From there, I could navigate to the WLAN settings and view the actual Wi-Fi passwords for the 2.4GHz and 5GHz bands, giving me full control over the router.

Why is This a Zero-Day Exploit?

At first glance, this might not seem like a critical issue—after all, users could change their admin passwords. However, several design flaws in Excitel’s security measures make this vulnerability easily exploitable, even if the default credentials are changed. Here are the two key security mechanisms implemented by Excitel and why they fall short:

1. Session Limiting: If one user is already logged into the admin panel, anyone else trying to log in will see the message: "Administration is already logged in." This prevents multiple logins but doesn’t protect against unauthorized access.

   
   

2. Rate Limiting: After five incorrect login attempts, the system temporarily blocks further attempts for five minutes. While this sounds secure, it’s easy to bypass.

Despite these safeguards, I found multiple ways to exploit the system. Below, I’ll explain three scenarios that demonstrate just how easy it is to compromise an Excitel router.

Scenario 1: Exploiting Default Credentials

In the first and simplest scenario, an attacker can connect to the "www.excitel.com" SSID using the default password 11223344.

Once connected, they can log in to the admin panel using the super admin credentials (exc@123) and gain access to the WLAN settings.

From here, the attacker can view or even change the passwords for the 2.4GHz and 5GHz Wi-Fi networks, giving them complete control over the user’s internet.

A short brief POC I shared with the security team that day.

Scenario 2: Resetting the Router via Deauthentication Attack

If the default credentials have been changed, things get a bit more complex—but still far from secure.

Using tools like Kali Linux and Aircrack-ng, I performed a de-authentication attack, sending a flood of deauth packets to force the router to disconnect all connected devices.

The steps for this attack are straightforward:

1. Run airodump-ng to monitor available Wi-Fi networks.

2. Identify the Excitel router's BSSID.

3. Use aireplay-ng to send deauth packets, forcing a router reset.

After a few minutes of sending deauth packets, the router would reboot, flushing its cache and temporarily reverting to default settings. Once this happens, the attacker can use the default credentials to regain access to the admin panel and retrieve the Wi-Fi passwords.

A short brief old POC:

Scenario 3: Bypassing the "Administration Already Logged In" Message

Even if the message "Administration is already logged in" appears when trying to access the admin panel, the same de-authentication attack can be used to force a logout. By flooding the router with deauth packets, I could disconnect the legitimate user, log back in using default credentials, and take control of the router once again.

A Flaw That Still Exists: Lack of Proper Mitigation

Despite discovering this vulnerability in 2020, Excitel has not provided a proper patch for many existing routers. Although newer firmware versions and routers seem to have a different passwords for the "www.excitel.com" SSID, many older devices remain vulnerable.

What’s even more concerning is that I reached out to Excitel’s security team but received no response. This bug can be devastating. An attacker could take over someone’s home network, intercept traffic, reroute users to malicious websites, or even perform man-in-the-middle attacks. Worse still, the victim may never realize their router has been compromised.

How I Secured My Router:

While Excitel doesn’t offer an easy way to disable the "www.excitel.com" SSID, I found a workaround by accessing the console. With a simple JavaScript code, you can turn off the exposed SSID and protect your network. I'll share the script below for anyone looking to secure their router from this vulnerability. However, it may not work on all routers, so please follow the steps outlined in the POC carefully.

POC VIDEO TO MITIGATE THE EXPOSE SSID:

Final Thoughts: A Call to Action

This critical zero-day vulnerability highlights the risks associated with poorly secured routers, specifically those using Genesis hardware and firmware like the T2122-V1.26EXU version from July 18, 2022. Excitel should provide firmware updates to patch these flaws for all users, not just those with newer routers. In the meantime, users should be aware of these risks and take steps to secure their networks.

If you're using an Excitel router, check whether your device is vulnerable and take action to protect your privacy. This is not just a matter of inconvenience—it’s a serious security threat that can lead to data theft, financial loss, and more. Stay safe, and stay informed!

Thanks for reading. If you want to learn more about Wi-Fi hacking and how to protect yourself, check out my other blog posts where I delve into security tips and advanced techniques.