CVSS 9.8: The Router That Could Have Taken Down the Entire Practice

🔒

REAL ENGAGEMENT · CLIENT ANONYMISED

This article is based on a live Nessus vulnerability assessment conducted on a KwaZulu-Natal dental practice in March 2026. All findings are real. The client has been fully anonymised. The practice has since remediated the critical and high-severity findings. This is published with client consent for the purpose of raising awareness in the healthcare sector.

The Device Nobody Thinks About

In almost every small practice I assess, there is a piece of network equipment in a corner or on a shelf that has not been touched since the day it was installed. It hums quietly. It connects everyone to the internet. Nobody logs into it. Nobody patches it. Nobody even knows what version of software it's running — because why would they? It just works.

That device is usually the most dangerous thing on the network.

In this engagement — a full internal network vulnerability assessment of a KZN dental practice — the most severe finding wasn't a rogue application or a compromised workstation. It was the router. A TP-Link access point that had been doing its job faithfully, and invisibly, for years. When we ran the Nessus scan, it reported back a single line that stopped everything:

NESSUS OUTPUT · 192.168.0.1
CRITICAL · Plugin 93650
Dropbear SSH Server < 2016.72 Multiple Vulnerabilities

Version source    : SSH-2.0-dropbear_2012.55
Installed version : 2012.55
Fixed version     : 2016.74

CVE-2016-7406 · CVSS v3.0 Base Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The router was running SSH software released in 2012. The vulnerability allowing unauthenticated remote code execution as root was disclosed in 2016. It was 2026 when we found it. That is a decade of exposure, sitting on the network edge of a practice holding thousands of patient records.

What CVSS 9.8 Actually Means

CVSS — the Common Vulnerability Scoring System — rates vulnerabilities on a scale from 0 to 10. A score of 9.8 sits just below the maximum possible. To understand what that means in practice, look at the vector string:

CVSS v3.0 BASE SCORE

9.8

CVE-2016-7406 · Dropbear SSH < 2016.74

ATTACK VECTOR

NETWORK

Exploitable remotely

ATTACK COMPLEXITY

LOW

No special conditions

PRIVILEGES REQUIRED

NONE

No authentication needed

IMPACT

C:H / I:H / A:H

Full compromise

Breaking that down: this vulnerability can be exploited from the internet, with no prior authentication, with low technical complexity, and results in full compromise of the device — confidentiality, integrity, and availability, all rated High. The attacker needs nothing except internet access and knowledge of the vulnerability. Both are free.

The specific flaw (CVE-2016-7406) is a format string vulnerability in the way Dropbear SSH handles usernames. By sending a crafted login attempt with format string specifiers in the username field, an unauthenticated attacker can execute arbitrary code — and because SSH on this router runs as root, that code executes with full root-level privileges. The fix has been available since 2016. The router just never got it.

192.168.0.1 — TP-Link TL-WA901ND 4.0

Edge Router · Network Gateway · Internet-Facing

CVSS 9.8

The router sits at the perimeter of the entire practice network. Every device in the building routes its traffic through it. Its SSH management interface was enabled and running Dropbear version 2012.55 — a version that predates the security patch by four years. Any internet-connected attacker who scanned for SSH on this IP address would immediately receive a banner advertisement of its vulnerable version. Shodan indexes devices like this automatically. It is not necessary to actively hunt for them.

With root access to the router, an attacker can: intercept and inspect all network traffic passing through the device (including unencrypted internal communications), reroute traffic to attacker-controlled infrastructure, install persistent backdoors that survive router reboots, map the entire internal network, and pivot to attack every device behind the router from a trusted internal position. The router is not just a vulnerable endpoint — it is the keys to every other device on the network.

INTERNET-REACHABLE NO AUTH REQUIRED ROOT EXECUTION UNPATCHED SINCE 2016 INDEXED ON SHODAN

⚠️

THE SECONDARY ROUTER FINDING

The same router also carried a second vulnerability: CVE-2016-6255, an arbitrary file write flaw in the libupnp library. An unauthenticated attacker could send a crafted HTTP POST request to write arbitrary files to the router's filesystem. The CVSS score on this one was 7.5. On the same device. Running simultaneously. Two independent paths to full compromise of the network edge.

The Router Was Not the Only Problem

Eleven devices were scanned. The router was the most immediately alarming single finding, but the pattern it revealed — equipment running old software, never updated, never checked — repeated itself across the network.

ASSESSMENT SUMMARY — 11 HOSTS SCANNED

192.168.0.1 — TP-LINK ROUTER

1 Critical · 2 High · 3 Medium

CVSS 9.8 · ROOT RCE · INTERNET-FACING

192.168.0.110 — LINUX WEB SERVER

3 Critical · 7 High · 8 Medium

PHP 7.3.9 EOL · MULTIPLE RCE PATHS

192.168.0.102 / .106 — SSL HOSTS

1 High each · Deprecated TLS

ANON CIPHER SUITES · UNTRUSTED CERT

WINDOWS HOSTS — MULTIPLE

SMB Signing Off · Passwords Never Expire

UNQUOTED SERVICE PATHS · LATERAL MOVEMENT READY

DNS — ZONE TRANSFER ENABLED

Internal network map disclosed on request

AXFR UNRESTRICTED · RECON GOLDMINE

                Total: 4 Critical · 11 High · 29 Medium across 11 hosts
              

192.168.0.110 — The Web Server

Linux · PHP 7.3.9 · End of Life December 2021

3 CRITICAL

While the router was the single most dangerous finding, this server came back with three critical vulnerabilities and seven high-severity vulnerabilities — the highest combined count of any host on the network. It was running PHP 7.3.9, a version that has not received security patches since December 2021. The Nessus scan identified multiple independent paths to unauthenticated remote code execution, including a heap-based buffer overflow in phar_extract_file() (CVE-2020-7061, CVSS 9.1) and a remote code execution vulnerability via a malformed fastcgi_split_path_info directive (CVE-2019-11043, CVSS 9.8). An outdated jQuery library added cross-site scripting exposure on top.

Like the router, this server had not been patched or updated since it was deployed. It was simply running — doing whatever it was set up to do — while accumulating years of publicly known, publicly exploitable vulnerabilities.

PHP 7.3.9 — EOL HEAP BUFFER OVERFLOW REMOTE CODE EXECUTION JQUERY XSS UNPATCHED SINCE 2021

Windows Hosts + DNS — The Supporting Cast

Lateral Movement Infrastructure · Active Directory Recon

Across the Windows workstations, three findings combined to create a clear lateral movement path. SMB signing was not required, opening the door to NTLM relay attacks — an attacker who has already gained a network foothold can intercept authentication traffic and relay it to other hosts without ever cracking a password. Unquoted service paths on multiple hosts provide a privilege escalation vector once an attacker has local access. User account passwords were set to never expire, meaning credentials that were compromised last year — or five years ago — are still valid today.

DNS was configured to allow unrestricted zone transfers (AXFR). Anyone who asked the DNS server for a complete list of internal hostnames received one, with no authentication required. This is reconnaissance as a service — the internal network map handed directly to an attacker doing pre-exploitation information gathering.

SMB SIGNING DISABLED DNS ZONE TRANSFER OPEN NON-EXPIRING PASSWORDS UNQUOTED SERVICE PATHS

The POPIA Exposure

A dental practice holds some of the most sensitive personal information in the South African healthcare system. Patient records contain names, ID numbers, contact details, medical histories, medication information, chronic conditions, and treatment records. Under POPIA, this is special personal information — the category afforded the highest level of protection under the Act, covered specifically by Section 26.

The CVSS 9.8 router vulnerability means that any attacker with internet access had a credible, low-effort, unauthenticated path to the network edge — and from there, via the DNS zone transfer, a complete internal map. Via the unpatched PHP server, a direct path to the web-facing infrastructure. Via the disabled SMB signing and non-expiring passwords, a lateral movement path across Windows workstations. None of these attack paths required chaining zero-days. Every single one was documented, patched, and publicly known for years.

Under Section 19 of POPIA, a responsible party must take "appropriate, reasonable, technical and organisational measures" to secure personal information against unauthorised access. A router running a CVSS 9.8 vulnerability disclosed in 2016, unpatched for a decade, on a network holding thousands of patient records — that is a difficult posture to characterise as appropriate or reasonable.

⚖️

SECTION 22 NOTIFICATION OBLIGATIONS

If these vulnerabilities had been exploited and patient data accessed, Section 22 would have required notification to the Information Regulator and to every affected data subject — potentially thousands of individuals. The IBM Cost of a Data Breach Report 2025 puts the average South African breach cost at R44.1 million. Section 107 provides for fines up to R10 million and imprisonment for responsible parties who fail to comply with the Act. The router firmware update was free. The difference between those two outcomes was a firmware update.

What Was Done — and What You Should Do

The client received a prioritised remediation plan on the day findings were reported. Critical items were addressed within two weeks. Here is what was done, and what every practice with similar infrastructure should check immediately.

REMEDIATION CHECKLIST — NETWORK INFRASTRUCTURE

Update Router Firmware — Check It Now, Today

Log into your router's admin interface and check the firmware version. If you don't know how to do this, call your IT provider today — not next week. For TP-Link and most consumer-grade routers, firmware updates are free downloads from the manufacturer's website. The patch for the Dropbear SSH vulnerability on this device has been available since 2016. If your router is more than two or three years old and has never been updated, assume it needs attention. If it is so old the manufacturer no longer provides updates, replace it. A business-grade router suitable for a small practice costs under R2,000.

Disable SSH Access on the Router Unless Actively Needed

The SSH management interface on a small practice router almost certainly does not need to be enabled. Your IT provider almost certainly manages the router via its web interface, not SSH. Disabling SSH entirely removes the attack surface for the Dropbear vulnerability completely — even before firmware is updated. In the router admin panel, look for "Remote Management," "SSH," or "Telnet" settings and disable any remote access options that are not actively required. If your IT provider needs SSH access, ensure it is restricted to their specific IP address only.

Migrate Off End-of-Life Software

PHP 7.3.x reached end of life on December 6, 2021. Any server still running it has not received a security patch in over four years. If you have a web server, web application, or practice portal, ask your developer or IT provider what PHP version it runs. Upgrading to a supported version (PHP 8.2 or later) requires testing for compatibility with existing applications but is a standard migration that any competent PHP developer can perform. Running end-of-life software is not a minor oversight — it is a known, documented, exploitable risk.

Enable SMB Signing and Restrict DNS Zone Transfers

SMB signing should be required on all Windows hosts — this closes the NTLM relay attack path. DNS zone transfers (AXFR) should be restricted to authorised secondary DNS servers only, or disabled entirely if you are not running secondary DNS replication. Both of these are configuration changes your IT provider can implement in under an hour. Neither requires any hardware changes or software purchases. Password expiry policies should also be configured — accounts that never expire create a permanent credential exposure window.

Run a Vulnerability Assessment — Then Run One Annually

The router in this engagement had been running a CVSS 9.8 vulnerability for the better part of a decade because nobody had ever looked. A Nessus-based vulnerability assessment of an 11-device network takes a few hours and produces a prioritised finding list you can hand directly to your IT provider. This should not be a one-off exercise — the threat landscape changes, software versions age, new vulnerabilities are disclosed. Annual assessment is the minimum cycle for a practice holding special personal information under POPIA. It is also the most direct evidence that you are meeting your Section 19 obligations.

The Quiet Hum in the Corner

Somewhere in your practice, right now, there is a device that nobody thinks about. It hums. It does its job. No one has logged into it in years. Maybe it's the router. Maybe it's a network switch, a NAS drive, a print server. Maybe it's the PC running the X-ray software that the vendor said "just leave it on Windows 7 for compatibility." Maybe it's a camera system with a web interface that ships with a default password that has never been changed.

The practice in this case study was not negligent. They were not reckless. They had IT support. They had a working network. They had backups. They just had never had anyone look at what was actually on that network, and what state it was in — because why would they? It just worked.

A vulnerability assessment is not an accusation. It is a flashlight. It shows you what is in the corners so you can deal with it before someone else finds it first — someone with less constructive intentions.

In this engagement, the client found out before a breach. The findings were reported, the critical items were remediated within two weeks, and a patch management cycle was put in place. They now have a documented security baseline and a repeatable annual assessment schedule. That is what the process looks like when it works.

FIND OUT BEFORE THEY DO

Book a Dental Practice Vulnerability Assessment

We assess dental and healthcare practices specifically — network infrastructure, patch status, configuration weaknesses, and POPIA alignment. Conducted by a dentist who understands your clinical environment. You get a written findings report and a prioritised remediation plan. Conducted under strict NDA.

Book an Assessment Free Self-Assessment

AUTHOR

Dr David Sykes

Practicing dentist and independent cybersecurity practitioner based in Umhlanga, South Africa. Founder of Greyhat4Hire. Specialises in penetration testing and vulnerability assessments of healthcare and dental practices — with the unique advantage of understanding the clinical environment from the inside.

About Dr Sykes →

Router Security Vulnerability Assessment Dropbear SSH CVSS 9.8 POPIA Healthcare Dental Practice Security Patch Management Network Infrastructure