CVE-2020-14930

Vulnerability

In BT CTROMS Terminal OS Port Portal CT-464, the password-reset functionality in getverificationcode.jsp discloses the verification token to the requesting client in addition to sending it to the registered phone number [1]. This means the token is transmitted over the network to any unauthenticated HTTP client without requiring authentication or prior knowledge of the user's credentials [1].

Exploitation

An unauthenticated attacker can initiate a password-reset request for any known username by sending a getverificationcode.jsp request. The HTTP response contains the verification token in plain text. The attacker can then submit that token via the password-reset completion endpoint to set a new password for the target account [1]. No user interaction or special network position is required beyond HTTP access to the portal [1].

Impact

A successful attacker gains full account control, effectively performing an account takeover. This leads to complete compromise of the affected portal user account, including access to any data or functions accessible to that user [1]. The scope is limited to the application layer; the attacker may also use the hijacked account to pivot to other attacks within the terminal operating system environment [1].

Mitigation

As of the reference published in March 2020 [1], no official patch was available. Operators should restrict network access to the portal, monitor for suspicious password-reset requests, and consider implementing additional verification (e.g., CAPTCHA, rate limiting) on the getverificationcode.jsp endpoint until a vendor fix is released.