CVE-2019-19825 – This vulnerability allows attackers to bypass C... (How to Fix)

Q: What is the severity of CVE-2019-19825?

CVE-2019-19825 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass CAPTCHA protection on affected TOTOLINK routers by retrieving the CAPTCHA text via a specific POST request. Once valid credentials are obtained, attackers can perform router actions using HTTP requests with Basic Authentication. This affects multiple TOTOLINK router models running Realtek SDK firmware.

📋 TL;DR

This vulnerability allows attackers to bypass CAPTCHA protection on affected TOTOLINK routers by retrieving the CAPTCHA text via a specific POST request. Once valid credentials are obtained, attackers can perform router actions using HTTP requests with Basic Authentication. This affects multiple TOTOLINK router models running Realtek SDK firmware.

💻 Affected Systems

Products:

TOTOLINK A3002RU
TOTOLINK A702R
TOTOLINK N301RT
TOTOLINK N302R
TOTOLINK N300RT
TOTOLINK N200RE
TOTOLINK N150RT
TOTOLINK N100RE

Versions: A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0

Operating Systems: Router firmware based on Realtek SDK

Default Config Vulnerable: ⚠️ Yes

Notes: Affects routers with web administration interface enabled. Realtek SDK-based routers from other manufacturers may also be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to reconfigure network settings, intercept traffic, install malware, or use the router as part of a botnet.

🟠

Likely Case

Unauthorized access to router administration interface leading to network configuration changes, DNS hijacking, or credential theft.

🟢

If Mitigated

Limited impact if routers are behind firewalls with restricted WAN access and strong administrative credentials.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending POST request to boafrm/formLogin URI with specific parameters. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for specific fixed versions for each model

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates for your specific router model. 2. Download the latest firmware. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable WAN administration access

all

Prevent external access to router administration interface

Log into router admin interface
Navigate to Remote Management/Administration settings
Disable WAN/Internet access to admin interface

Change default credentials

all

Use strong, unique administrative passwords

Log into router admin interface
Navigate to Administration/Password settings
Change admin password to strong, unique value

🧯 If You Can't Patch

Isolate affected routers in separate network segments with strict firewall rules
Implement network monitoring for suspicious POST requests to boafrm/formLogin URI

🔍 How to Verify

Check if Vulnerable:

Send POST request to http://[router-ip]/boafrm/formLogin with data {"topicurl":"setting/getSanvas"} and check if CAPTCHA text is returned

Check Version:

Log into router admin interface and check firmware version in System Status or About section

Verify Fix Applied:

Attempt the same POST request after patching - should not return CAPTCHA text or should return error

📡 Detection & Monitoring

Log Indicators:

POST requests to /boafrm/formLogin with topicurl parameter
Multiple failed login attempts followed by successful authentication
Unusual administrative configuration changes

Network Indicators:

HTTP POST requests to router IP on port 80/443 with specific payload
Traffic patterns indicating router configuration changes

SIEM Query:

source="router_logs" AND (uri="/boafrm/formLogin" OR method="POST" AND data CONTAINS "getSanvas")

📊 Metadata

CVE ID: CVE-2019-19825

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: January 27, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-Code-Execution.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Jan/36 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2020/Jan/38 Mailing List,Third Party Advisory
https://sploit.tech Exploit,Third Party Advisory
http://packetstormsecurity.com/files/156083/Realtek-SDK-Information-Disclosure-Code-Execution.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Jan/36 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2020/Jan/38 Mailing List,Third Party Advisory
https://sploit.tech Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19825, you might also want to check these: