Critical vulnerabilities detected in 4G routers
Vulnerabilities allow attackers to gain access to confidential user information and execute commands.
Security researchers from Pen Test Partners discovered numerous vulnerabilities in 4G routers from various companies, the operation of which allows attackers to gain access to confidential user information and execute commands.
Vulnerabilities affect 4G routers of various price categories, from consumer routers and dongles to very expensive devices intended for use in large corporate networks.
Exploiting vulnerabilities (CVE-2019-3411 and CVE-2019-3412) detected in ZTE's MF920 router allows attackers to gain access to user data or execute arbitrary commands. The latter vulnerability is critical and was rated 9.8 on the CVSS v3 scale.
The Netgear Nighthawk M1 Mobile router affected the CSRF vulnerability (CVE-2019-14526) and the team implementation after authentication vulnerability (CVE-2019-14527), which allowed arbitrary code to be executed on the vulnerable device if “the user set an unreliable password in the web interface”.
Two vulnerabilities were discovered in the TP-LINK M7350 4G LTE mobile wireless router (CVE-2019-12103 and CVE-2019-12104), the exploitation of which allows commands to be performed before and after authentication, respectively.
Researchers reported all discovered vulnerabilities to suppliers and most of them were fixed.