cbcvebase.
CVE-2020-11966
published 2020-04-21

CVE-2020-11966: In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.99%
85.6th percentile
In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”

Affected

1 ranges
VendorProductVersion rangeFixed in
evenrouteiqrouter_firmware<= 3.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/luci/er/reset_password/
url/cgi-bin/luci/er/vlanTag
url/cgi-bin/luci/er/verify_wifi
url/cgi-bin/luci/er/screen9
url/cgi-bin/luci/er/screen4
url/cgi-bin/luci/er/screen2
url/cgi-bin/luci/er/screen10
url/cgi-bin/luci/er/screen1
url/cgi-bin/luci/er/register
url/cgi-bin/luci/er/wifi
url/cgi-bin/luci/er/reboot_link
url/cgi-bin/luci/er/diag_wifi
url/cgi-bin/luci/er/diag_set_static_wan
url/cgi-bin/luci/er/diag_set_static_modem
url/cgi-bin/luci/er/diag_set_device_name_and_sync
url/cgi-bin/luci/er/diag_set_device_name
url/cgi-bin/luci/er/diag_pppoe_update
url/cgi-bin/luci/er/diag_pppoe
url/cgi-bin/luci/er/diag_pppoa_update
url/cgi-bin/luci/er/diag_pppoa
url/cgi-bin/luci/er/advanced_link
url/cgi-bin/luci/er/diag_set_password/c00lpasswd/
url/cgi-bin/luci/er/get_syslog
url/cgi-bin/luci/er/index?reset_config=1
url/cgi-bin/luci/er/screen7?upgrade=1
  • All exploit endpoints are unauthenticated (no-auth RCE). Monitor HTTP GET requests to any /cgi-bin/luci/er/* path containing backtick shell metacharacters (e.g., '`...`') in query parameters or URL path segments.
  • The reset_password endpoint changes root password to the static value 'changeme' without authentication. Alert on any GET to /cgi-bin/luci/er/reset_password/.
  • The diag_set_password endpoint allows unauthenticated root password change to an arbitrary value supplied in the URL path. Alert on GET requests matching /cgi-bin/luci/er/diag_set_password/*/*.
  • Use ${IFS} or TAB characters as space substitutes in injected commands; detection rules should account for these evasion techniques in URL-decoded query strings.
  • The /cgi-bin/luci/er/get_syslog endpoint leaks router setup information and is used by attackers to retrieve RCE command output (e.g., from the /register email injection). Monitor for unauthenticated access to this path.
  • ·The vendor states this vulnerability only affects devices in their initial unconfigured state (before the forced setup wizard is completed). Devices that have completed initial configuration with a secure password set are not considered vulnerable by the vendor.
  • ·The RCE endpoints under rce_setup require the router to be in setup/initial-configuration mode to be exploitable, whereas rce_any endpoints work regardless of setup state.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.