CVE-2022-47732 in N412
Summary
by MITRE • 01/20/2023
In Yeastar N412 and N824 Configuration Panel 42.x and 45.x, an unauthenticated attacker can create backup file and download it, revealing admin hash, allowing, once cracked, to login inside the Configuration Panel, otherwise, replacing the hash in the archive and restoring it on the device which will change admin password granting access to the device.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/04/2025
The vulnerability identified as CVE-2022-47732 affects Yeastar N412 and N824 Configuration Panel devices running firmware versions 42.x and 45.x, representing a critical security flaw that undermines the integrity of the device's authentication mechanism. This issue stems from inadequate access controls within the backup functionality of the web interface, creating an exploitable pathway for unauthenticated attackers to gain administrative privileges without requiring any prior credentials or authentication. The vulnerability specifically resides in the configuration panel's handling of backup operations, where the system fails to properly validate user authentication status before permitting backup creation and download processes.
The technical implementation of this flaw allows an attacker to exploit a design weakness in the device's web-based management interface, where backup file generation does not require authentication credentials. This creates a scenario where any remote attacker can initiate backup operations and subsequently download the resulting archive file, which contains sensitive administrative information including password hashes. The backup files are stored in a format that preserves the device's administrative credentials, effectively providing attackers with a mechanism to escalate privileges through credential recovery or direct hash replacement. This represents a direct violation of the principle of least privilege and demonstrates a failure in the device's access control implementation.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass full administrative control of affected devices, potentially enabling attackers to modify configurations, install malicious firmware, or exfiltrate sensitive data from the network. The ability to replace the admin hash within the backup archive and restore it to the device creates a persistent backdoor mechanism that can be used to maintain long-term access even after the initial compromise. This vulnerability affects organizations that rely on Yeastar telephony equipment for critical communications infrastructure, potentially exposing them to significant operational disruption and security breaches. The flaw's presence in multiple firmware versions suggests a systemic design issue that requires comprehensive remediation across affected deployments.
Mitigation strategies should prioritize immediate firmware updates from Yeastar to address the authentication bypass mechanism and restore proper access controls. Organizations should implement network segmentation to limit access to these devices to authorized administrative networks only, while also monitoring for suspicious backup file creation activities. The vulnerability aligns with CWE-284, which addresses improper access control in software systems, and maps to attack techniques in the MITRE ATT&CK framework under T1078 for valid accounts and T1566 for credential harvesting. Network administrators should also consider implementing intrusion detection systems to monitor for unusual backup file access patterns and ensure that all administrative interfaces are protected through proper authentication mechanisms. Additionally, regular security assessments should be conducted to identify similar vulnerabilities in other networked devices that may exhibit comparable access control weaknesses.