| Title | MAXTECH MAX-G866ac Wireless - Remote Code Execution Unauthenticated |
|---|
| Description | # Exploit Title: MAXTECH MAX-G866ac Wireless - Remote Code Execution Unauthenticated
# Date: 2023-09-04
# Exploit Author: MrEmpy
# Version Firmware: SSW_AP_MAXT_MAX-G866ac_0.4.1_TBRO_20160314
Title:
================
MAXTECH MAX-G866ac Wireless - Remote Code Execution Unauthenticated
Summary:
================
The Remote Code Execution Without Authentication flaw in MAXTECH's MAX-G866ac router is a critical vulnerability that allows a remote attacker to execute malicious code on the device without the need for authentication. This flaw was recently discovered and can be exploited by an attacker to take complete control of the router, steal confidential information from users connected to the network, and perform other malicious attacks.
The vulnerability is due to a flaw in the implementation of a remote management feature in the MAX-G866ac router. Specifically, the device fails to properly verify incoming requests before executing remote code, allowing an attacker to send malicious commands to the device without any form of authentication or validation.
The vulnerability was found in firmware version SSW_AP_MAXT_MAX-G866ac_0.4.1_TBRO_20160314, and the vulnerability is believed to be present in newer versions of router firmware.
Severity Level:
================
10.0 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Product:
================
MAXTECH MAX-G866ac SSW_AP_MAXT_MAX-G866ac_0.4.1_TBRO_20160314
Proof of Concept:
================
https://www.youtube.com/watch?v=fikdcK_xlS8 |
|---|
| Source | ⚠️ . |
|---|
| User | mrempy (UID 24379) |
|---|
| Submission | 04/09/2023 19:39 (3 years ago) |
|---|
| Moderation | 04/21/2023 16:16 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 227001 [MAXTECH MAX-G866ac 0.4.1_TBRO_20160314 Remote Management missing authentication] |
|---|
| Points | 17 |
|---|