CVE-2023-30403

Vulnerability

The Aigital Wireless-N Repeater Mini_Router version 0.131229 uses a time-based authentication mechanism without proper session management. Once a legitimate user logs in, the web app does not issue a unique session token; instead, any subsequent connection to the web interface from the same network is automatically considered authenticated for the duration of the session. This flaw is present in the web interface of the device [1][2].

Exploitation

An attacker with network access to the web interface can simply wait for a legitimate user to log in, then connect to the web app in the same browser or any other client. No credentials, cookies, or additional steps are required; the attacker immediately gains access to the same administrative session [1][2].

Impact

A successful attacker bypasses the login page entirely and gains full access to the web application's administrative functionalities. The impact includes potential data disclosure (e.g., plaintext credentials from /config.dat) and further compromise of the device, as the web interface controls device configuration [1][2].

Mitigation

As of the publication date (2023-05-02), no official patch or updated firmware from Aigital has been released. Users can mitigate risk by restricting network access to the device's web interface (e.g., by firewall rules or placing it on a separate VLAN) and by ensuring no other users are logged in while accessing the device. The device may be end-of-life (EOL), as Aigital's website is no longer available [1][2].