| Title | Mercusys Router MW301R 1.0.2 Build 190726 Rel.59423n (4252) Authentication Bypass Using an Alternate Path or Channel |
|---|
| Description | Hello team!
The flaw was found in the Mercusys router MW301R. In authenticated sessions, it is possible to completely bypass the password‑change workflow without knowing the current admin password. On the Mercusys MW301R, the official recovery method for a forgotten password is to perform a factory reset—which requires physical access—or, within a valid session, to supply the existing password. The discovered bypass allows an attacker who is already authenticated to intercept the HTTP request and simply modify the "code=" parameter to invoke the reset endpoint directly. This enables the administrator password to be changed remotely, without any physical interaction with the device or knowledge of the previous credential.
Endpoint: /?code={CODE}&asyn={ASYN}&id={ID}
ORIGINAL Manufacturer Password Reset Process: https://www.mercusys.com/cz/faq-118 |
|---|
| Source | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README20.md |
|---|
| User | RaulPACXXX (UID 84502) |
|---|
| Submission | 07/08/2025 12:16 (12 months ago) |
|---|
| Moderation | 07/19/2025 09:44 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 316996 [Mercusys MW301R 1.0.2 Build 190726 Rel.59423n Web Interface code password recovery] |
|---|
| Points | 20 |
|---|