This is borderline criminal in today's online environment
http://www.theregister.co.uk/2015/04/09/no_moto_surfboard_modem_has_hardcoded_creds/Researchers at Rapid7 have turned up a set of typically dumb vulnerabilities in Motorola's DOCSIS/EuroDOCSIS 3.0-capable SURFboard SBG 6580 cable broadband modem. The device, which also ships under the Arris brand, has vulnerabilities included hardcoded login credentials that will allow an outside attacker to take control of the kit.
the three vulnerabilities are:
A cross-site request forgery tagged CVE-2015-0965 that lets an arbitrary site log in without the user's knowledge;
At least one hard-coded backdoor, CVE-2015-0966, letting “technician” log in with the password yZgO8Bvj; and
A cross-site scripting vulnerability in the firewall config page, CVE-2015-0964, letting attackers inject Javascript to do pretty much anything they want.
Arris is the Motorola spin-off carrying the cable modem business. It recently won a lucrative deal in Australia to supply product for the HFC part of the network.
I myself can't understand how anyone could believe they are a professional network engineer / designer and allow these types of exploitable entry points into such equipment, this is beyond belief.
