Talos Vulnerability Report


Trend Micro Inc. Home Network Security SFTP log collection server hard-coded password vulnerability

May 24, 2021
CVE Number



A hard-coded password vulnerability exists in the SFTP Log Collection Server function of Trend Micro Inc.’s Home Network Security 6.1.567. A specially crafted network request can lead to arbitrary authentication. An attacker can send an unauthenticated message to trigger this vulnerability.

Tested Versions

Trend Micro, Inc. Home Network Security 6.1.567

Product URLs


CVSSv3 Score

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N


CWE-259 - Use of Hard-coded Password


The Home Network Security Station is a device used to monitor and protect home networks from security threats as well as offer simple network management features. The Station provides vulnerability scanning, web threat protection, intrusion prevention, as well as device-based access control for all devices on a home network.

A hard coded username and password exists for uploading a collection of log files from the Trend Micro Home Network Security device. This log server is at logs.trendmicro.com. The log server is utilized to dump all information that the device collects back to Trend Micro’s infrastructure, and can include indentifiable information of the networks that the data originated from. The username and password are hard coded in the core binary of the HNS device as diamond:bahV6AtJqZt4K. On the SFTP server, these credentials can be used to create files, change permissions on files, and upload arbitrary data to the server. This could result in the loss of the logs if files are overwritten, or data exfiltration could occur if it is possible to download data.


2021-01-22 - Vendor Disclosure
2021-04-06 - 75+ day follow up
2021-04-20 - Talos granted timeline extension for disclosure
2021-05-20 - Vendor Patched
2021-05-24 - Public Release


Discovered by Carl Hurd and Kelly Leuschner of Cisco Talos.