CVE-2020-23592

Name of the Vulnerable Software and Affected Versions OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP V3.3.1-191028

Description A vulnerability allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to reset the ONU to factory default through the API endpoint "/mgm dev reset.asp". Resetting to default leads to escalation of privileges by logging in with default credentials.

Recommendations For OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP V3.3.1-191028, consider disabling access to the "/mgm dev reset.asp" API endpoint until a patch is available to prevent exploitation. Additionally, changing default credentials after a reset can help mitigate the risk of escalation of privileges. At the moment, there is no information about a newer version that contains a fix for this vulnerability.