CVE-2019-17224
Description
The web interface of the Compal Broadband CH7465LG modem (version CH7465LG-NCIP-6.12.18.25-2p6-NOSH) is vulnerable to a /%2f/ path traversal attack, which can be exploited in order to test for the existence of a file pathname outside of the web root directory. If a file exists but is not part of the product, there is a 404 error. If a file does not exist, there is a 302 redirect to index.html.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Compal Broadband CH7465LG modem web interface is vulnerable to a path traversal attack via /%2f/, allowing remote attackers to test for the existence of arbitrary files outside the web root.
Vulnerability
The web interface of the Compal Broadband CH7465LG modem running firmware version CH7465LG-NCIP-6.12.18.25-2p6-NOSH is vulnerable to a path traversal attack via the /\%2f/ sequence. This allows an unauthenticated remote attacker to probe for the existence of files outside the web root directory by sending crafted HTTP requests. [1]
Exploitation
An attacker with network access to the modem's web interface (typically on the local network) can send an HTTP request containing a path such as /\%2f/var/tmp/ping_result. The server responds with a 404 Not Found if the file exists but is not part of the product, or a 302 Moved Temporarily redirect to index.html if the file does not exist. This behavior enables an attacker to determine the presence of arbitrary files on the filesystem. [1]
Impact
Successful exploitation allows an attacker to enumerate the filesystem and confirm the existence of specific files outside the web root. This information disclosure could aid in identifying sensitive files (e.g., configuration files, logs) and may be used as a stepping stone for further attacks. No direct file read or write is achieved. [1]
Mitigation
As of the publication date (October 2019), no firmware update or patch has been released to address this vulnerability. The affected firmware version CH7465LG-NCIP-6.12.18.25-2p6-NOSH remains unpatched. Users should restrict network access to the modem's web interface to trusted networks only and consider disabling remote administration if not required. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Compal Broadband/CH7465LGdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and path canonicalization in the web interface allows URL-encoded path traversal sequences to access files outside the web root."
Attack vector
An unauthenticated remote attacker sends an HTTP request with a URL-encoded path traversal sequence (`/%2f/`) followed by an arbitrary file path, such as `/%2f/var/tmp/ping_result`. The server processes the decoded path and checks whether the file exists outside the web root. If the file exists, the server returns a 404 Not Found (likely because the file lacks a registered MIME type). If the file does not exist, the server returns a 302 redirect to `../index.html`. This difference in HTTP response codes lets the attacker probe for the existence of arbitrary files on the device's filesystem [ref_id=1].
Affected code
The web interface of the Compal Broadband CH7465LG modem (firmware version CH7465LG-NCIP-6.12.18.25-2p6-NOSH) does not properly sanitize URL paths. The vulnerability is triggered by sending a request containing `/%2f/` (URL-encoded slash) followed by a file path, which bypasses the web root restriction and allows path traversal outside the document root [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. The researcher notes that the vulnerability can be used to fingerprint installed firmware versions and check whether security patches have been applied, implying that the vendor should implement proper input validation and path canonicalization to reject or safely handle URL-encoded traversal sequences like `/%2f/` [ref_id=1]. No official remediation has been published in the provided materials.
Preconditions
- networkThe attacker must have network access to the modem's web interface (typically on the local network at 192.168.0.1).
- authNo authentication is required; the vulnerability is exploitable without any session or credentials.
Reproduction
1. From a machine on the same network as the modem, send a request to probe a known file: `curl -I http://192.168.0.1/%2f/var/tmp/ping_result`. If the file does not exist, the response is a 302 redirect to `../index.html`. 2. Trigger the creation of the file (e.g., launch a ping from the web interface), then repeat the request. The response changes to 404 Not Found, confirming the file now exists [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- vulnerabilities.home.blog/2019/10/27/again-a-vunerability-in-cable-router-ch7465lg-cve-2019-17224/mitrex_refsource_MISC
- www.search-lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.