CVE-2020-23587

Name of the Vulnerable Software and Affected Versions OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP V3.3.1-191028

Description A vulnerability allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack, enabling a man-in-the-middle attack by adding new routes in RoutingConfiguration on the "/routing.asp" API endpoint. This issue can be exploited to intercept and manipulate traffic.

Recommendations For OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP V3.3.1-191028, consider disabling access to the "/routing.asp" API endpoint until a patch is available to prevent the addition of new routes in RoutingConfiguration. Restricting access to the RoutingConfiguration feature can also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.