:strip_exif()/i/2002695650.jpeg?fit=%2C&ssl=1)
Researchers have discovered a vulnerability in modems and routers that use Arcadyan software, including two KPN modems. This made it possible to bypass authentication and make adjustments to the network settings.
Security company researchers Tenable discovered a path traversal-vulnerability in the web interface of several network devices made by Arcadyan, which is also used by KPN. In the case of KPN, it concerns the ExperiaBox V10A, with firmware version 5.00.48 and the VGV7519 with firmware version 3.01.116. With a path traversal bug it is possible to view files and folders that a user should not have access to.
The vulnerability in the firmware allows attackers to remotely bypass the login and authentication of the web interface, access sensitive information such as valid request tokens, and thus modify the router’s network settings. The vulnerability is registered as CVE-2021-20090. Tenable does not provide further details on how the vulnerability can be exploited.
Initially, the researchers thought it was a vulnerability in a specific modem, but it soon became apparent that the problem was in the firmware, which is used in various modems and routers. These include modems and routers from O2, Verizon and Vodafone. The researchers discovered the vulnerability in January this year, and have informed the various manufacturers and ISPs about it.
CERT/CC recommends people with these modems to install the latest firmware on their modem or router as soon as possible and also disable remote WAN-side admin services and disable the web interface on the WAN. Privacy news says that it is not yet known whether KPN has released a firmware update against the vulnerability that users can install. KPN makes since 2018 using the ExperiaBox V10A.
–
