VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 23, 2022· Updated Apr 29, 2025

CVE-2020-23591

CVE-2020-23591

Description

A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm -rf *.*' in the code), reverse connection (using '.asp' webshell), backdoor.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Arbitrary file upload in OPTILINK OP-XT71000N firmware allows attackers to achieve denial of service, reverse shell, or backdoor via /mgm_dev_upgrade.asp.

Vulnerability

The vulnerability exists in OPTILINK OP-XT71000N with Hardware Version V2.2 and Firmware Version OP_V3.3.1-191028. The endpoint /mgm_dev_upgrade.asp does not properly validate file uploads, allowing an attacker to upload arbitrary files, including malicious scripts. [1]

Exploitation

An attacker can upload a file via the /mgm_dev_upgrade.asp endpoint without authentication. The uploaded file can be a .asp webshell for remote code execution, or a file that triggers the execution of rm -rf *.* to delete all files on the device, causing denial of service. [1]

Impact

Successful exploitation allows an attacker to achieve arbitrary file deletion leading to denial of service, or upload a webshell for reverse connection and backdoor access, potentially leading to privilege escalation and full compromise of the device. [1]

Mitigation

As of the publication date, no official patch has been released. Users should consider upgrading to a newer firmware version if available, or restrict access to the management interface to trusted networks. The device may be end-of-life; contact OPTILINK for support. [1]

References
  1. GitHub - huzaifahussain98/CVE-2020-23591: ARBITAR FILE UPLOAD LEADS TO "delete every file for Denial of Service (using 'rm -rf *.*' in the code), reverse connection (using '.asp' webshell), backdoor , Escalation of Privileges, etc".

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.