CVE-2019-19825

high-risk

Published 2020-01-27

On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.

Do I need to act?

28.8% chance of exploitation in next 30 days

EPSS score — higher than 71% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (8)

A3002Ru Firmware

A702R Firmware

N301Rt Firmware

N302R Firmware

N300Rt Firmware

N200Re Firmware

N150Rt Firmware

N100Re Firmware

Affected Vendors

Totolink

References (8)

Third Party Advisory http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-C...

Mailing List http://seclists.org/fulldisclosure/2020/Jan/36

Mailing List http://seclists.org/fulldisclosure/2020/Jan/38

Exploit https://sploit.tech

Third Party Advisory http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-C...

Mailing List http://seclists.org/fulldisclosure/2020/Jan/36

Mailing List http://seclists.org/fulldisclosure/2020/Jan/38

Exploit https://sploit.tech

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 15/34 · Moderate

Exposure 14/34 · Moderate