CVE-2024-28092 in DDW365 XCNDDW365
Summary
by MITRE • 03/20/2024
UBEE DDW365 XCNDDW365 8.14.3105 software on hardware 3.13.1 allows a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via RgFirewallEL.asp, RgDdns.asp, RgTime.asp, RgDiagnostics.asp, or RgParentalBasic.asp. The affected fields are SMTP Server Name, SMTP Username, Host Name, Time Server 1, Time Server 2, Time Server 3, Target, Add Keyword, Add Domain, and Add Allowed Domain.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2025
The vulnerability identified as CVE-2024-28092 represents a critical stored cross-site scripting flaw in UBEE DDW365 and XCNDDW365 router firmware versions 8.14.3105 running on hardware version 3.13.1. This security weakness resides within the web-based administrative interface of these networking devices, specifically affecting multiple configuration pages including RgFirewallEL.asp, RgDdns.asp, RgTime.asp, RgDiagnostics.asp, and RgParentalBasic.asp. The vulnerability allows remote attackers who are within Wi-Fi proximity to the affected devices to inject malicious scripts into the router's configuration parameters, which are then stored and executed when other users access the administrative interface. This particular flaw falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security that enables attackers to inject malicious code that executes in the context of other users' browsers.
The technical exploitation of this vulnerability occurs through the manipulation of several input fields across different configuration pages. Attackers can target fields such as SMTP Server Name, SMTP Username, Host Name, Time Server 1, Time Server 2, Time Server 3, Target, Add Keyword, Add Domain, and Add Allowed Domain to inject malicious JavaScript code. When these parameters are processed and stored in the router's configuration database, the malicious scripts become persistent and will execute whenever the affected web interface is accessed by authenticated users. The stored nature of this XSS vulnerability means that the malicious code does not require immediate exploitation upon injection, as the payload remains stored within the device configuration until accessed by an unsuspecting administrator or user. This characteristic significantly increases the attack surface and persistence potential of the vulnerability.
The operational impact of CVE-2024-28092 extends beyond simple script execution, as it provides attackers with the ability to perform session hijacking, credential theft, and potentially gain unauthorized access to the router's administrative functions. An attacker could inject scripts that steal administrator session cookies, redirect users to malicious sites, or even modify router settings to create backdoors or disable security features. The proximity requirement for exploitation means that attackers need physical or wireless access to the network, but this limitation does not prevent the vulnerability from being highly dangerous in environments where unauthorized access to wireless networks is possible. The attack vector aligns with ATT&CK technique T1071.004 - Application Layer Protocol: DNS, as attackers could potentially use the compromised router to redirect DNS queries or manipulate network traffic. Additionally, the vulnerability enables techniques such as T1566.002 - Phishing: Spearphishing Attachment, where attackers could use the compromised router to deliver malicious payloads to connected devices.
Mitigation strategies for this vulnerability should include immediate firmware updates from UBEE, as the manufacturer likely has patches available to address the XSS flaws in the affected configuration fields. Network administrators should implement network segmentation to limit wireless access to critical devices and ensure that only authorized personnel have access to the router administration interfaces. The principle of least privilege should be enforced by creating separate administrative accounts with limited permissions and implementing strong authentication mechanisms. Additionally, network monitoring should be enhanced to detect unusual traffic patterns that might indicate exploitation attempts, and web application firewalls should be configured to filter suspicious input patterns. Organizations should also consider implementing device access controls that require multi-factor authentication for administrative access and regularly audit router configurations for unauthorized changes. The vulnerability highlights the importance of input validation and output encoding in web applications, particularly in network device management interfaces where administrators are constantly exposed to potentially malicious input from various sources.