CVE-2020-23587
Description
A vulnerability found in the OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to men in the middle attack by adding New Routes in RoutingConfiguration on " /routing.asp ".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in OPTILINK OP-XT71000N router allows unauthenticated remote attacker to add routes, enabling man-in-the-middle attacks.
Vulnerability
The OPTILINK OP-XT71000N router (Hardware Version V2.2, Firmware Version OP_V3.3.1-191028) is vulnerable to a cross-site request forgery (CSRF) attack on the /routing.asp endpoint. The application does not implement any anti-CSRF tokens or origin validation, allowing an attacker to forge requests that add new routes to the routing configuration. This vulnerability is present in the RoutingConfiguration functionality and requires no authentication to exploit the CSRF vector, though the victim must be authenticated to the router's web interface [1].
Exploitation
An unauthenticated, remote attacker can craft a malicious HTML page or script that, when visited by an authenticated user (e.g., via phishing or a compromised site), sends a forged POST request to /routing.asp to add arbitrary routes. The attacker does not need any prior access to the router; the victim's browser automatically includes the session cookie, and the router processes the request as legitimate. The attacker can then manipulate routing tables to redirect traffic through a controlled machine, enabling a man-in-the-middle (MITM) position [1].
Impact
Successful exploitation allows the attacker to add or modify routing entries on the device. This can redirect network traffic to an attacker-controlled host, enabling interception, modification, or blocking of communications. The attacker gains the ability to perform MITM attacks on the victim's network traffic, potentially compromising sensitive data such as credentials or session tokens. The impact is limited to the local network segment reachable by the router, but the attacker does not require any prior authentication or privileges [1].
Mitigation
As of the publication date (2022-11-23), no official patch or firmware update has been released by OPTILINK to address this vulnerability. The vendor has not disclosed a fix in the available references [1]. Users are advised to restrict access to the router's web interface to trusted networks only, disable remote administration if not needed, and monitor for any future firmware updates. Implementing a reverse proxy with CSRF protection or using browser-based protections (e.g., SameSite cookies) may reduce risk but are not complete mitigations.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- OPTILINK/OP-XT71000Ndescription
- Range: Firmware OP_V3.3.1-191028
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.