Without patching the configuration defects, administrators may allow remote attacker to manage the device via SSH, expose internal network via SNMP and may lead to data theft.
CVE-2018-10988 The password reset system of the device has vulnerability. Successful exploitation of this vulnerability may allow remote attacker to obtain administrator account password via email.
CVE-2018-11003 The device has vulnerability in the web interface. Successful exploitation of this vulnerability may allow remote attacker to conduct session hijacking via web interface.
CVE-2018-11004 The installation script of the device has vulnerability. Successful exploitation of this vulnerability may allow remote attacker to obtain administrator account password via email.
CVE-2018-11005 The device has vulnerability in the web interface. Successful exploitation of this vulnerability may allow remote attacker to conduct session hijacking via web interface.
CVE-2018-11006 The device has vulnerability in the web interface. Successful exploitation of this vulnerability may allow remote attacker to conduct session hijacking via web interface.
CVE-2018-11007 The device has vulnerability in the web interface. Successful exploitation of this vulnerability may allow remote attacker to conduct session hijacking via web interface.
CVE-2018-11008 The device has vulnerability in the web interface
Overall concept of the device and its features
The device is a Webtop with 2.4G and 5G wireless capabilities, with a 2x2 MIMO antenna configuration. It is designed to run on the OpenWrt Linux distribution that can be installed as an image on a microSD card.
The device has multiple vulnerabilities in its web interface, installation script, and password reset system. The device's administrator account password can be retrieved by email if an attacker successfully exploits one of the vulnerabilities in these three components of the device.
Timeline
Published on: 10/14/2022 16:15:00 UTC
Last modified on: 10/18/2022 17:32:00 UTC