Cleartext Submission of Password vulnerability in Skyworth Router

Vulnerability

Skyworth Router CM5100, version 4.1.1.24, transmits authentication credentials in plaintext over the network. The vulnerability exists in the web interface, specifically on the Password Reset Page, where credentials are sent without encryption. A remote attacker can exploit this by passively eavesdropping on network traffic between the router and the victim's browser [1].

Exploitation

An attacker needs to be positioned on the same network segment as the victim (e.g., via man-in-the-middle, ARP spoofing, or monitoring unsecured Wi-Fi). No authentication is required to observe the traffic. The attacker passively captures packets during the password reset process, extracting the plaintext username and password from HTTP requests [1].

Impact

Successful exploitation results in disclosure of the victim's router login credentials. The attacker can then authenticate to the router's web interface with the same privilege level as the victim (typically administrative access). This could lead to full compromise of the router, including further attacks on the internal network [1].

Mitigation

According to the available reference [1], no fixed version or workaround has been disclosed as of the publication date. Users are advised to monitor vendor updates for a patched firmware release. Until a fix is available, network segmentation and enforcing HTTPS (if supported) may reduce risk, though the router appears to use HTTP for this functionality.