cbcvebase.
CVE-2023-49230
published 2023-12-28

CVE-2023-49230: An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals'…

PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
2.05%
78.8th percentile
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
peplinkbalance_two_firmware< 8.4.08.4.0

Detection & IOCsextracted from sources · hover to see the quote

url/guest/portal_admin_upload.cgi
url/guest/preview.cgi?portal_id=1
path/guest/api.cgi
commandPOST /guest/portal_admin_upload.cgi — multipart form-data with fields: option=edit_page, mode=submit, portal_id=1, data={JSON config}, logo_action=x
commandmode=info&option=preview&portal_id=1
  • Detect unauthenticated POST requests to /guest/portal_admin_upload.cgi with multipart/form-data containing option=edit_page and mode=submit — no session/auth cookie required.
  • A successful exploitation response contains the JSON string '"status": "save_success"' in the HTTP response body from /guest/portal_admin_upload.cgi.
  • Verify exploitation by issuing POST to /guest/api.cgi with body mode=info&option=preview&portal_id=1 and confirming the injected value appears in the response body with HTTP 200.
  • Shodan fingerprinting query for exposed Peplink Balance Two devices: html:"PEPLINK"
  • Fingerprint the target device by checking for the string 'Peplink' in the body of GET /cgi-bin/MANGA/index.cgi before attempting exploitation.
  • ·The vulnerability only affects Peplink Balance Two firmware versions prior to 8.4.0; devices running 8.4.0 or later are not affected.
  • ·The attack requires user interaction (UI:R per CVSS), meaning full exploitation may depend on a victim action despite the missing authorization check being unauthenticated.
  • ·The multipart boundary value used in the PoC template is fixed (370611892836891531633729116268); real-world requests may use different boundary strings.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.