Virginmedia Hub3 or Arris Cable Modem


This blog post was inspired by recent problems with the new Virgin Media Hub v3.0. Specifically changing our network range to the non-default range.

The default range is However, this causes routing issues when we try to VPN back to home-base when the client’s range matches our native home-base range (despite having a specific VPN range); this is why we usually configure an insane internal network range to avoid these possible collisions (e.g. our internal range may be - this is just an example).

The Virgin Media interface is a simplified cut-down version compared to the original Arris and previously available versions and a lot of the more flexible features (such as deciding your own network lan range).
Looking at the community forums for other opinions and findings on this matter, revealed that some of these issues could be solved using SNMP.

So we started looking in Arris SNMP MIBS and found the following page useful in our research:

SNMP Controls

The Virgin Hub is re-skinned Arris cable-modem router, but by using any modern browsers Web-developer toolset (Chrome, Firefox, Safari, Edge), we can observed the AJAX (XHR) calls underneath to reveal the API calls we can utilise to access additional information:


We extracted the following URL’s, while clicking around and changing settings:


We can use the above URLs to obtain, query and change settings on our router.

Is this a vulnerability?

Sadly no, as to gain access or modify this information you need to be first authenticated with the device.


The following tokens/variables are obtained after a successful login:

  • _n
  • _

For best results, we recommend first logging into the HomeHub and copying these tokens from the underlying AJAX calls.

Intersting Calls

Router Configuration



Read Firewall log


Router Logs


LAN Configuration


Firewall Enabled True/False


UPnP Enabled True/False


LAN Client Information


Reveal WiFi Passwords



If you want to query an individual setting you can use snmpGet

Get arrisRouterSerialNumber :



Query DNS Settings


    The returned strings, e.g. $c2a80464 are hex-notation of the IP address, these can easily be decoded to the default Virgin Media DNS servers e.g.


Change the guest wifi name to “aaaaa”; Note you have to URL encode the string and start with %24:


Before this setting is changed, we need to send an Apply signal:

  •;2;&n=xxx&=xxxxxxxx If you tried these strings on your own Arris cable modem, your guest WiFi SSID should read “aaaaa”

Attempt Changing the DNS to


Despite trying to change the DNS settings to - unfortunately they remain unchanged from the default settings. Hints on the Virgin community forums are that this specific issue has been previously reported, and now a number of settings have been changed to read-only values.

This is backed up by the log entry (again using the snmpwalk API to obtain this info)


Changing the default network range

Set Gateway IP:


Set DHCP Start (


Set DHCP End (





SNMP is a simple and powerful protocol for network management. It looks like Arris and Virgin Media are aware of the strengths and weaknesses of this protocol and the API interface, and have made several settings read-only; Hopefully, to prevent attackers from hijacking the cable modems for nefarious purposes; Or simply to stop customers messing with settings and bricking their modems.

Share on: