CVE-2020-23592

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the OPTILINK OP-XT71000N ONU/router, specifically in hardware version V2.2 with firmware version OP_V3.3.1-191028. The endpoint /mgm_dev_reset.asp does not implement any anti-CSRF token or validation, allowing an attacker to force an authenticated user's browser to execute a factory reset request without their consent [1].

Exploitation

The attack requires no authentication and can be performed remotely. The attacker crafts a malicious web page or HTML email containing a forged HTTP request to /mgm_dev_reset.asp. When a logged-in administrator visits the attacker-controlled page, the browser automatically sends the request, triggering the factory reset [1]. The attacker does not need any special network position beyond the ability to host a web page the victim visits.

Impact

A successful CSRF attack resets the device to factory default configuration, erasing all settings including administrator credentials. After the reset, the attacker (or any other party) can log in using the known default credentials for the device, effectively gaining full administrative privileges over the affected ONU/router [1]. This leads to complete compromise of the device's management interface.

Mitigation

As of the available reference [1], no official patch or firmware update from OPTILINK has been disclosed. Users should manually apply anti-CSRF tokens to the /mgm_dev_reset.asp endpoint or restrict access to authenticated and same-origin requests only. Additionally, changing default administrator credentials immediately after device setup reduces the impact, though a factory reset would nevertheless restore defaults. The device is not currently listed in CISA's Known Exploited Vulnerabilities catalog.