CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-24052

CVSS 9.8v3.1pub. 2023-12-04upd. 2024-11-21

An issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain control of the device via the change password functionality as it does not prompt for the current password.

🤖 AI Analysis
How it works

The password change function in Connectize AC21000 G6 firmware version 641.139.1.1256 does not verify user identity by requiring entry of the current password before changing it. An attacker can send a password change request without knowing the current administrative password, resulting in full control takeover of the device. The vulnerability is classified as improper authorization (CWE-863), as the system does not enforce proper access control for critical operations.

Impact

An attacker can gain full administrative control over the router by changing the access password without knowing the current authentication credentials. Consequences may include loss of access by the legitimate administrator, modification of network configuration, and potential exposure of the entire network infrastructure served by the device.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Additionally, it is recommended to restrict access to the device's administrative panel exclusively to trusted IP addresses and isolate the management interface from the public network.

Who is affected

Connectize AC21000 G6 with firmware version 641.139.1.1256

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Connectize Ac21000 G6

    HW
    Connectize
    wszystkie wersje
  • Connectize Ac21000 G6 Firmware

    OS
    Connectize
    641.139.1.1256
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2023-24049CRITICAL9.8PL ✓ten sam produkt

Privilege escalation w routerze Connectize AC21000 G6 — słabe zarządzanie poświadczeniami

CVE-2023-24051CRITICAL9.8PL ✓ten sam produkt

Brak ograniczenia liczby prób po stronie klienta w Connectize AC21000 G6

CVE-2023-24048HIGH8.8ten sam produkt

Cross Site Request Forgery (CSRF) vulnerability in Connectize AC21000 G6 641.139.1.1256 allows attackers to ga...

CVE-2023-24046MEDIUM6.8ten sam produkt

An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via...

CVE-2023-24047MEDIUM6.8ten sam produkt

An Insecure Credential Management issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to...