CVE-2020-23585

Name of the Vulnerable Software and Affected Versions OPTILINK OP-XT71000N version V2.2, Firmware Version: OP V3.3.1-191028

Description A remote attacker can conduct a cross-site request forgery (CSRF) attack due to insufficient CSRF protections for the "mgm config file.asp" file. This allows an attacker to create a crafted "csrf form" that sends malicious XML data to the "/boaform/admin/formMgmConfigUpload" API endpoint. The exploit enables the attacker to gain full privileges and fully compromise the router and network.

Recommendations For OPTILINK OP-XT71000N version V2.2, Firmware Version: OP V3.3.1-191028, as a temporary workaround, consider disabling access to the "/boaform/admin/formMgmConfigUpload" API endpoint until a patch is available. Restrict access to the "mgm config file.asp" file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.