CVE-2020-18331

Vulnerability

Directory traversal vulnerability in the ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running firmware W2000EN-01 (hardware platform Gpn2.4P21-C_WIFI-V0.05). The issue exists in the /cgi-bin/webproc script, where the getpage parameter is not properly sanitized, allowing an attacker to traverse directories and read arbitrary files [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET request to http://:8080/cgi-bin/webproc?getpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow to retrieve sensitive files such as /etc/shadow. The router's web interface is accessible without authentication on port 8080, as the device ships without an administrative password [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the device, including password hashes. Over 4,320 devices were found exposed on the internet via Shodan, primarily in South America and Asia [1]. This can lead to credential compromise and further network attacks.

Mitigation

No official firmware fix has been released as of the report date. While setting an administrative password reduces the attack surface, it does not address the underlying directory traversal vulnerability. Users should restrict network access to the web interface and monitor for suspicious activity. The default tw account password cannot be changed, so additional risk mitigation strategies are recommended [1].