CVE-2020-23591

Name of the Vulnerable Software and Affected Versions OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP V3.3.1-191028

Description A vulnerability allows an attacker to upload arbitrary files through "/mgm dev upgrade.asp" which can delete every file for Denial of Service (using rm -rf *.* in the code), establish a reverse connection (using .asp webshell), or create a backdoor.

Recommendations For OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP V3.3.1-191028, consider disabling access to the "/mgm dev upgrade.asp" endpoint until a patch is available to prevent arbitrary file uploads. Restrict the use of the rm command and monitor for suspicious .asp webshell activity to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.