Summary
Multiple Zoom Telephonics devices are prone to an information- disclosure vulnerability, an authentication bypass vulnerability and an SQL-injection vulnerability.
Impact
Exploiting these issues could allow an attacker to gain unauthorized access and perform arbitrary actions, obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Impact Level: Application
Solution
Ask the Vendor for an update.
Insight
When UPnP services and WAN http administrative access are enabled, authorization and credential challenges can be bypassed by directly accessing root privileged abilities via a web browser URL.
All aspects of the modem/router can be changed, altered and controlled by an attacker, including gaining access to and changing the PPPoe/PPP ISP credentials.
Affected
X4 ADSL Modem and Router
X5 ADSL Modem and 4-port Router
Detection
Request /hag/pages/toolbox.htm and check if it is accessible without authentication.
References
Updated on 2015-03-25
