CVE-2019-25706

Summary

Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data.

Affected Software

VendorProductVersion RangeStatus
AcrossDR-810ROM-0affected

Weaknesses

  • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References