CVE-2020-23588

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the OPTILINK OP-XT71000N with Hardware Version V2.2 and Firmware Version OP_V3.3.1-191028. The issue affects the /rmtacc.asp endpoint, allowing an unauthenticated, remote attacker to perform actions such as enabling or disabling ports and changing port numbers without proper CSRF protection [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious HTTP request targeting /rmtacc.asp and tricking an authenticated administrator into executing it, for example, by visiting a specially crafted webpage or clicking a malicious link. No authentication or special network position is required beyond the victim's session [1].

Impact

Successful exploitation allows the attacker to modify port configurations, including enabling or disabling ports and changing port numbers. This could lead to denial of service (by disabling critical ports) or unauthorized network access (by changing port forwarding rules), depending on the device's location and role [1].

Mitigation

As of the publication date, no official fix or vendor advisory has been released. The affected firmware version (OP_V3.3.1-191028) may be end-of-life or unsupported. Until a patch is available, administrators should restrict network access to the device's management interface and apply browser-level CSRF protections, such as using anti-CSRF tokens if possible [1].