CVE-2020-28899

Name of the Vulnerable Software and Affected Versions: ZyXEL LTE4506-M606 version V1.00(ABDO.2)C0

Description: The Web CGI Script on the device does not require authentication, allowing remote unauthenticated attackers to use all features provided by the router. This can be achieved by sending crafted JSON action data to the "/cgi-bin/gui.cgi" API endpoint. Examples of possible actions include changing the router password, retrieving the Wi-Fi passphrase, sending an SMS message, or modifying the IP forwarding to access the internal network.

Recommendations: For ZyXEL LTE4506-M606 version V1.00(ABDO.2)C0, consider restricting access to the "/cgi-bin/gui.cgi" API endpoint until a patch is available. As a temporary workaround, limit the use of features that can be exploited by this issue, such as changing the router password or modifying IP forwarding settings.