CVE-2017-8840

Name of the Vulnerable Software and Affected Versions Peplink Balance devices (versions prior to 7.0.1-build2093)

Description A debug information disclosure issue exists, allowing access to sensitive device information. By making a direct request to the "cgi-bin/HASync/hasync.cgi?debug=1" endpoint, an attacker can obtain the Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid.

Recommendations For Peplink Balance devices with firmware before 7.0.1-build2093, update to firmware version 7.0.1-build2093 or later to resolve the issue. As a temporary workaround, consider restricting access to the cgi-bin/HASync/hasync.cgi endpoint to minimize the risk of exploitation.