CVE-2024-57725 in Livebox Fibra
Summary
by MITRE • 02/14/2025
An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/30/2025
The vulnerability identified as CVE-2024-57725 affects the Arcadyan Livebox Fibra PRV3399B_B_LT device, representing a critical security flaw that undermines the integrity of network connectivity management. This issue resides within the device's web interface administration system, specifically targeting the /firstconnection.cgi endpoint which governs initial network configuration parameters. The flaw enables unauthorized modification of the GPON link value, a fundamental component that establishes the optical network connection between the customer premises equipment and the service provider's network infrastructure. This represents a significant weakness in the device's access control mechanisms, as it allows attackers to manipulate core network parameters without requiring any authentication credentials.
The technical implementation of this vulnerability stems from inadequate input validation and authentication checks within the web application interface. When an attacker accesses the /firstconnection.cgi endpoint, the system fails to properly verify the identity of the requesting user or validate the legitimacy of parameter modifications. This lack of proper access control validation creates an exploitable condition where both remote and local attackers can manipulate the GPON link configuration. The vulnerability specifically targets the GPON link value parameter, which serves as a critical configuration element that determines how the device establishes and maintains its connection to the upstream network infrastructure. The absence of authentication requirements means that any individual with access to the device's network interface can potentially disrupt service by altering this parameter.
The operational impact of this vulnerability extends beyond simple configuration modification to encompass significant service disruption capabilities. When an attacker successfully modifies the GPON link value, they can effectively sever or compromise the internet connectivity for the affected premises. This disruption occurs because the GPON link configuration directly controls how the device communicates with the service provider's network, making it a critical point of failure. The vulnerability's remote exploitability means that attackers do not need physical access to the device, allowing them to perform service disruption attacks from anywhere on the internet. The local attack vector further compounds the risk, as it allows for exploitation from within the local network, potentially through compromised internal systems or unauthorized user access. This dual attack surface creates multiple pathways for exploitation and increases the overall threat landscape for affected networks.
The vulnerability aligns with CWE-287, which addresses improper authentication issues in software systems, and demonstrates how weak access control mechanisms can lead to severe operational consequences. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1078.004, which covers legitimate credentials in cloud environments, though in this case the attack exploits the absence of credential requirements rather than stealing them. The device's failure to implement proper authentication checks creates an environment where attackers can manipulate critical network parameters with minimal effort. This situation represents a fundamental flaw in the device's security architecture, as it fails to distinguish between authorized and unauthorized modifications to core network configuration parameters.
Mitigation strategies for this vulnerability require immediate attention from network administrators and service providers. The primary recommendation involves implementing proper authentication controls for all administrative endpoints, ensuring that the /firstconnection.cgi interface requires valid user credentials before allowing parameter modifications. Network segmentation and access controls should be implemented to restrict access to administrative interfaces to authorized personnel only. Device firmware updates should be prioritized to address the authentication bypass vulnerability, though administrators should verify that updates are available from the vendor before deployment. Additional protective measures include monitoring network traffic for unauthorized access attempts to administrative endpoints and implementing network-based intrusion detection systems that can identify suspicious parameter modification activities. Organizations should also conduct comprehensive vulnerability assessments to identify other potentially unauthenticated administrative interfaces that may present similar risks. The remediation process must include verification that authentication mechanisms are properly enforced and that unauthorized modifications are properly logged and reported for security analysis.