cbcvebase.
CVE-2023-49255
published 2024-01-12

CVE-2023-49255: The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the…

PriorityP358critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.72%
49.1th percentile
The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated one. If the logged in user has administrative privileges, it is possible to use webadmin service configuration commands to create a new admin user with a chosen password.

Affected

2 ranges
VendorProductVersion rangeFixed in
hongdianh8951-4g-esp< 23102711492310271149
hongdianh8951-4g-esp_firmware< 23102711492310271149
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.