CVE-2020-13857 in MOFI4500-4GXeLTE
Summary
by MITRE • 02/01/2021
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2021
The vulnerability identified as CVE-2020-13857 affects Mofi Network MOFI4500-4GXeLTE broadband wireless routers running firmware versions 3.6.1-std and 4.0.8-std. This represents a critical denial of service vulnerability that allows remote attackers to disrupt network services without requiring any authentication credentials. The affected device is a commercial wireless router designed for enterprise and industrial applications, making this vulnerability particularly concerning for organizations relying on uninterrupted network connectivity.
The technical flaw resides in the poof.cgi web script implementation within the router's web interface. This cgi script does not properly validate incoming HTTP GET requests, specifically failing to authenticate or authorize requests before processing them. When an attacker sends an unauthenticated GET request to the poof.cgi endpoint, the device processes this request and triggers an unintended reboot sequence. The vulnerability stems from improper input validation and lack of access controls, which are fundamental security principles outlined in CWE-284 Access Control and CWE-20 Improper Input Validation. The router's web server fails to implement proper authentication mechanisms for critical system functions, allowing any remote user to exploit this weakness.
The operational impact of this vulnerability extends beyond simple service disruption. A successful exploitation results in complete network outage for the affected device, potentially affecting critical infrastructure communications, industrial control systems, or enterprise network connectivity. The remote nature of the attack means that adversaries can trigger reboots from anywhere on the internet without needing physical access or valid credentials, making this particularly dangerous for devices deployed in remote or unattended locations. Organizations using these devices may experience unplanned downtime, potential data loss, and disruption of business operations. According to ATT&CK framework, this vulnerability maps to T1499.004 Endpoint Denial of Service and T1566.001 Phishing, as the attack can be executed through web-based delivery mechanisms.
Mitigation strategies should focus on immediate firmware updates from Mofi Network, which would likely address the authentication bypass in the poof.cgi script. Network segmentation and firewall rules can help limit access to the affected device by restricting HTTP access to only trusted IP addresses. Implementing network monitoring solutions can help detect unusual reboot patterns that may indicate exploitation attempts. Organizations should also consider disabling unnecessary web management interfaces when not actively required for configuration tasks. The vulnerability highlights the importance of implementing principle of least privilege for web interfaces and ensuring that all system management functions require proper authentication before execution, aligning with security best practices established in NIST SP 800-44 and ISO 27001 standards.