Login Sign Up

CVE-2017-14147

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to factory reset FiberHome AN1020-25 routers by accessing a specific URL. Attackers can then use default credentials to gain administrative access. Only users of the affected router model are impacted.

💻 Affected Systems

Products:
  • FiberHome AN1020-25 ADSL Router
Versions: All versions prior to patch
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects FiberHome AN1020-25 model routers. Other models may have similar vulnerabilities but are not confirmed.

📦 What is this software?

Adsl An1020 25 Firmware by Fiberhome

View all CVEs affecting Adsl An1020 25 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing network traffic interception, DNS hijacking, and lateral movement into connected devices.

🟠

Likely Case

Router takeover leading to internet service disruption, credential theft, and unauthorized network access.

🟢

If Mitigated

No impact if router is not internet-facing or has been patched/updated.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication.
🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP GET request to /restoreinfo.cgi triggers factory reset. Multiple public exploit scripts available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version - check with vendor

Vendor Advisory: Not publicly available

Restart Required: Yes

Instructions:

1. Contact FiberHome for firmware updates. 2. Download latest firmware from vendor portal. 3. Upload via router admin interface. 4. Reboot router after update.

🔧 Temporary Workarounds

Block External Access

linux

Configure firewall to block WAN access to router admin interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Change Default Credentials

all

Change router admin password from default to prevent post-reset access

🧯 If You Can't Patch

  • Replace router with different model that doesn't have this vulnerability
  • Place router behind separate firewall that blocks all external management access

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[router-ip]/restoreinfo.cgi from network. If page loads without authentication, vulnerable.

Check Version:

Check router web interface or use nmap -sV -p80 [router-ip]

Verify Fix Applied:

After update, same URL should require authentication or return 404/403 error.

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to /restoreinfo.cgi
  • Router configuration reset events
  • Multiple failed login attempts after reset

Network Indicators:

  • Unusual HTTP traffic to router management interface
  • DNS changes to malicious servers
  • Unexpected factory reset commands

SIEM Query:

source="router.log" AND (uri="/restoreinfo.cgi" OR event="factory_reset")

📊 Metadata

CVE ID: CVE-2017-14147
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: September 7, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-14147, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2019-1867 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication on Cisco Elastic...

Same vulnerability type (CWE-287)