CVE-2020-11966

Name of the Vulnerable Software and Affected Versions IQrouter versions 3.3.1 and earlier

Description The issue allows remote attackers to change the root password arbitrarily using the Lua function reset password in the web-panel. This can occur on a brand-new network that has not been configured with a secure password. It is noted that this behavior is also seen in unconfigured releases of OpenWRT and other new Linux distributions prior to their initial configuration.

Recommendations For IQrouter versions 3.3.1 and earlier, as a temporary workaround, consider disabling the reset password function in the web-panel until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.