cbcvebase.
CVE-2017-14147
published 2017-09-07

CVE-2017-14147: An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory…

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
65.62%
99.2th percentile
An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory settings by simply browsing to the link http://[Default-Router-IP]/restoreinfo.cgi & execute it. Due to improper authentication on this page, the software accepts the request hence allowing attacker to reset the router to its default configurations which later could allow attacker to login to router by using default username/password.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[Default-Router-IP]/restoreinfo.cgi
path/restoreinfo.cgi
commandGET /restoreinfo.cgi HTTP/1.1
ip192.168.1.1
  • Detect unauthenticated HTTP GET requests to /restoreinfo.cgi on FiberHome AN1020-25 routers; a 200 OK response with body containing 'DSL Router Restore' confirms successful exploitation.
  • Alert on HTTP response body containing the string 'The DSL Router configuration has been restored to default settings' as an indicator of a successful factory reset trigger.
  • The server banner 'micro_httpd' in HTTP responses can help fingerprint the vulnerable FiberHome AN1020-25 device for targeted scanning or alerting.
  • ·The exploit requires no authentication and works from any remote host that can reach the router's web interface; the default gateway IP (192.168.1.1) is used in the PoC but any reachable router IP applies.
  • ·After a successful factory reset, the router reverts to default credentials, enabling a follow-on admin login attack; defenders should monitor for both the reset request and subsequent admin panel login attempts.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.