CVE-2020-23585
Description
A remote attacker can conduct a cross-site request forgery (CSRF) attack on OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028. The vulnerability is due to insufficient CSRF protections for the "mgm_config_file.asp" because of which attacker can create a crafted "csrf form" which sends " malicious xml data" to "/boaform/admin/formMgmConfigUpload". the exploit allows attacker to "gain full privileges" and to "fully compromise of router & network".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in OPTILINK OP-XT71000N router allows remote attacker to upload malicious config XML, gaining full device compromise and network breach.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the OPTILINK OP-XT71000N router with Hardware Version V2.2 and Firmware Version OP_V3.3.1-191028 [1]. The mgm_config_file.asp endpoint lacks sufficient CSRF protections, allowing an attacker to craft a form that, when submitted by an authenticated administrator, sends malicious XML data to /boaform/admin/formMgmConfigUpload. This XML can contain credentials for services such as PPP, Telnet, SNMP, FTP, and the web login [1].
Exploitation
An attacker must trick an authenticated administrator into following a crafted link or submitting a malicious form. No additional authentication or network position is required beyond the victim's session. The crafted CSRF form automatically submits the malicious XML config file to the vulnerable upload endpoint, overwriting the device's configuration with attacker-controlled values [1].
Impact
Successful exploitation allows the attacker to gain full administrative privileges on the router. The attacker can alter the device configuration, execute arbitrary commands, reload the device, and ultimately compromise the entire network [1]. All stored credentials in the config file (PPP, Telnet, SNMP, FTP, etc.) are exposed to the attacker.
Mitigation
As of publication, no firmware update addressing this vulnerability has been released. Users should restrict access to the management interface to trusted networks only, disable remote management if possible, and avoid using default credentials. Administrators should be cautious of unsolicited links and verify form submissions [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- OPTILINK/OP-XT71000Ndescription
- Range: = V2.2 hardware / OP_V3.3.1-191028 firmware
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.