CVE-2023-49229

Vulnerability

An issue exists in the administration web service of Peplink Balance Two firmware versions prior to 8.4.0. A missing authorization check allows read-only, unprivileged users to access sensitive device configuration information that should be restricted. The vulnerability is present in the web interface handling of authenticated requests, where privilege level enforcement is insufficient.

Exploitation

An attacker must have valid credentials for a read-only or unprivileged account on the Peplink Balance Two device. No additional network position or user interaction beyond authentication is required. The attacker can send crafted HTTP requests to the administration web service endpoints that do not properly enforce authorization, bypassing the intended read-only restrictions.

Impact

Successful exploitation results in disclosure of sensitive device configuration data. This information can include network settings, VPN credentials, firewall rules, and other operational parameters. The attacker gains no write access or code execution, but the leaked configuration can facilitate further targeted attacks against the network. The compromise is limited to information disclosure at the read-only privilege level.

Mitigation

The issue is fixed in Peplink Balance Two firmware version 8.4.0, released December 2023. Users should upgrade to 8.4.0 or later. No workarounds are documented in the available references [1]. If upgrade is not possible, restricting access to the web interface via network segmentation may reduce risk.