CVE-2020-24246

high-risk

Published 2020-10-07

Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin.

Do I need to act?

0.52% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Balance 20X Firmware

Balance 310X Firmware

Mbx Firmware

Epx Firmware

Sdx Firmware

Balance 30 Lte Firmware

Balance 20 Firmware

Balance 30 Firmware

Balance 30 Pro Firmware

Balance 50 Firmware

Balance One Firmware

Balance Two Firmware

Balance 210 Firmware

Balance 310 Firmware

Balance 305 Firmware

Balance 380 Firmware

Balance 580 Firmware

Balance 710 Firmware

Balance 1350 Firmware

Balance 2500 Firmware

Affected Vendors

Peplink

References (4)

Exploit https://blog.bssi.fr/cve-2020-24246-leaking-source-file-using-the-web-admin-inte...

Release Notes https://download.peplink.com/resources/firmware-8.1.0rc1-release-notes.pdf

Exploit https://blog.bssi.fr/cve-2020-24246-leaking-source-file-using-the-web-admin-inte...

Release Notes https://download.peplink.com/resources/firmware-8.1.0rc1-release-notes.pdf

/ 100

high-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 26/34 · High