Advan VD-1 has a vulnerability that allows remote arbitrary APK installation

Vulnerability

CVE-2019-13406 is a missing authentication vulnerability in the Advan VD-1 firmware up to version 230. The endpoint cgibin/ApkUpload.cgi accepts POST requests without any access control, allowing an attacker to upload and install arbitrary APK files on the device. The vulnerability affects AndroVideo Advan VD-1 (firmware ≤ v230), as confirmed by the advisory [1].

Exploitation

An attacker only needs network access to the device. No authentication is required. By sending a crafted POST request to cgibin/ApkUpload.cgi with an arbitrary APK payload, the attacker can cause the device to install the uploaded application [1].

Impact

Successful exploitation allows an attacker to install arbitrary Android applications (APKs) on the VD-1 device. This can lead to installation of malware, backdoors, or mining software, effectively giving the attacker persistent control over the device and potentially enabling further compromise of the local network [1].

Mitigation

The vendor has not released a patch for this vulnerability as of the publication date. Users should restrict network access to the device to trusted networks only and consider isolating it until an official firmware update is available. The affected versions are Advan VD-1 firmware ≤ v230; devices running a newer version are not mentioned in the advisory [1].