Advan VD-1 allows a remote user to enable Android Debug Bridge without any authentication

Vulnerability

CVE-2019-13405 is an access control bypass in Advan VD-1 firmware version 230. The cgibin/AdbSetting.cgi CGI endpoint accepts POST requests without any authentication, enabling the Android Debug Bridge (ADB) service on the device [1]. The affected firmware runs Android 5.1.1 Lollipop [1]. No special configuration or prior access is needed to reach the vulnerable endpoint.

Exploitation

An attacker on the same network as the target device can send a simple HTTP POST request to http:///cgibin/AdbSetting.cgi [1]. No authentication or user interaction is required. Once ADB is enabled, the attacker can connect to the device over the network using the standard ADB protocol, which is normally disabled by default.

Impact

With ADB enabled, an attacker can execute arbitrary commands on the device, install malicious APK files (such as cryptocurrency mining software), or use the compromised device as a relay for further attacks [1]. Because the underlying operating system (Android 5.1.1) is vulnerable to the DirtyCow privilege escalation vulnerability (CVE-2016-5195), the attacker can leverage ADB to gain root-level access, completely compromising the device's confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2019-08-29), no official patched firmware version has been released for Advan VD-1 [1]. The affected firmware is version v230; users should monitor the vendor for updates. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Devices running Android 5.1.1 that cannot be updated should be isolated from untrusted networks.