CVE-2020-28899

Published: Mar 16, 2021Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network.

Affected (3)

Products: Zyxel: Lte4506 M606 Firmware, Lte7460 M608 Firmware, Wah7706 Firmware

Zyxel

3 products

Lte4506 M606 Firmware

Lte7460 M608 Firmware

Wah7706 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Lte4506 M606 Firmware	Before v1.00\(abdo.6\)c0

Running on/with	Platform Versions
Zyxel Lte4506 M606	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Lte7460 M608 Firmware	Before v1.00\(abfr.5\)c0

Running on/with	Platform Versions
Zyxel Lte7460 M608	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Wah7706 Firmware	Before v1.00\(abbc.11\)c0

Running on/with	Platform Versions
Zyxel Wah7706	All versions

Related CWEs

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://www.zyxel.com/support/Zyxel-security-advisory-for-CGI-vulnerability-of-LTE.shtml

Source: cve@mitre.org

Vendor Advisory

https://www.zyxel.com/support/Zyxel-security-advisory-for-CGI-vulnerability-of-LTE.shtml

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.