CVE-2024-51187 in TEW-651BR
Summary
by MITRE • 11/11/2024
TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the firewallRule_Name_1.1.1.0.0 parameter on the /firewall_setting.htm page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/28/2025
The TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 wireless routers present a critical cross-site scripting vulnerability that compromises the security of network administrators and end users. This vulnerability exists within the firewall configuration interface of these devices, specifically in the parameter named firewallRule_Name_1.1.1.0.0 on the /firewall_setting.htm page. The flaw allows malicious actors to inject malicious scripts into the web interface that can execute in the context of authenticated users, potentially leading to unauthorized access to network configurations and sensitive data. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in web applications, representing a fundamental weakness in input validation and output encoding mechanisms within the device's web interface. The affected devices are commonly deployed in small office and home environments where network administrators may not be fully aware of the security implications of such vulnerabilities.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious payload that gets stored in the firewall rule name parameter and subsequently rendered in the web interface without proper sanitization or encoding. When an authenticated user navigates to the firewall settings page, the malicious script executes in their browser context, potentially stealing session cookies, modifying firewall rules, or redirecting users to malicious sites. The vulnerability is particularly concerning because it affects the administrative interface of network devices, which typically requires elevated privileges to access. This creates a pathway for attackers to escalate their privileges and gain complete control over the router configuration, potentially leading to man-in-the-middle attacks, DNS hijacking, or unauthorized network access. The stored nature of this XSS vulnerability means that the malicious payload persists even after the initial injection, making it particularly dangerous as it can affect any user who views the affected page.
The operational impact of this vulnerability extends beyond simple script execution, as it can compromise the integrity and confidentiality of network communications. Network administrators who regularly access the device's web interface become potential targets for persistent attacks that can remain undetected for extended periods. The vulnerability affects devices that are often deployed in environments with limited security awareness, making them prime targets for exploitation. Attackers can leverage this vulnerability to establish persistent backdoors, modify firewall rules to allow unauthorized access, or redirect traffic through malicious intermediaries. The impact is particularly severe in enterprise environments where these devices may be used as part of network infrastructure, as compromised routers can serve as entry points for broader network infiltration. According to ATT&CK framework, this vulnerability maps to T1566.002 (Phishing via Service) and T1071.004 (Application Layer Protocol: DNS) as attackers can use the compromised devices to perform reconnaissance and lateral movement within the network.
Mitigation strategies for this vulnerability require immediate attention from network administrators, including prompt firmware updates from TRENDnet if available, or implementing network segmentation to limit access to administrative interfaces. The most effective long-term solution involves applying vendor-provided patches that properly sanitize and encode all user input before rendering it in web interfaces. Network administrators should also implement additional security measures such as restricting access to administrative interfaces to specific IP addresses, using secure authentication mechanisms, and monitoring for unusual network activity that might indicate exploitation attempts. The vulnerability demonstrates the importance of proper input validation and output encoding in web applications, as highlighted by CWE-79 requirements for preventing XSS attacks. Organizations should also consider implementing network monitoring solutions that can detect anomalous behavior in network devices and establish incident response procedures specifically addressing router compromise scenarios. Regular security assessments and vulnerability scanning of network infrastructure should be conducted to identify similar issues in other network devices that may be running outdated firmware versions.