| タイトル | Mercusys Router MW301R 1.0.2 Build 190726 Rel.59423n (4252) Authentication Bypass Using an Alternate Path or Channel |
|---|
| 説明 | Hello team!
The flaw was found in the Mercusys router MW301R. In authenticated sessions, it is possible to completely bypass the password‑change workflow without knowing the current admin password. On the Mercusys MW301R, the official recovery method for a forgotten password is to perform a factory reset—which requires physical access—or, within a valid session, to supply the existing password. The discovered bypass allows an attacker who is already authenticated to intercept the HTTP request and simply modify the "code=" parameter to invoke the reset endpoint directly. This enables the administrator password to be changed remotely, without any physical interaction with the device or knowledge of the previous credential.
Endpoint: /?code={CODE}&asyn={ASYN}&id={ID}
ORIGINAL Manufacturer Password Reset Process: https://www.mercusys.com/cz/faq-118 |
|---|
| ソース | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README20.md |
|---|
| ユーザー | RaulPACXXX (UID 84502) |
|---|
| 送信 | 2025年07月08日 12:16 (12 月 ago) |
|---|
| モデレーション | 2025年07月19日 09:44 (11 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 316996 [Mercusys MW301R 1.0.2 Build 190726 Rel.59423n Web Interface code 特権昇格] |
|---|
| ポイント | 20 |
|---|