Login Sign Up

CVE-2020-13857

7.5 HIGH
Authentication Bypass Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated attackers to reboot Mofi Network MOFI4500-4GXeLTE routers by sending a simple HTTP GET request to poof.cgi. This affects users of specific firmware versions, potentially causing service disruption and denial of service.

💻 Affected Systems

Products:
  • Mofi Network MOFI4500-4GXeLTE
Versions: 3.6.1-std and 4.0.8-std
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects routers with web management interface accessible. Default configuration likely vulnerable as authentication bypass is inherent.

📦 What is this software?

Mofi4500 4gxelte Firmware by Mofinetwork

View all CVEs affecting Mofi4500 4gxelte Firmware →

Mofi4500 4gxelte Firmware by Mofinetwork

View all CVEs affecting Mofi4500 4gxelte Firmware →

Mofi4500 4gxelte Firmware by Mofinetwork

View all CVEs affecting Mofi4500 4gxelte Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service attacks could render the router unusable, disrupting all network connectivity for extended periods and potentially causing data loss during reboots.

🟠

Likely Case

Attackers cause temporary service disruption by repeatedly rebooting the router, interrupting internet connectivity and network services.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated network segments with minimal business disruption.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP GET request to vulnerable endpoint. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest firmware

Vendor Advisory: https://mofinetwork.com/index.php?main_page=page&id=14

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from vendor. 4. Upload and apply update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Block External Access to Web Interface

linux

Configure firewall rules to block external access to router web management interface (typically port 80/443).

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Web Interface if Not Needed

all

Turn off web management interface if router configuration is stable and no longer needs frequent changes.

Check router admin interface for web interface disable option

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate router management interface from untrusted networks
  • Deploy network-based intrusion prevention system (IPS) to detect and block poof.cgi requests

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://[router-ip]/poof.cgi and check if router reboots without authentication.

Check Version:

Log into router web interface and check firmware version in system status or about page.

Verify Fix Applied:

After patching, attempt same request and verify router does not reboot and returns proper authentication error.

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to /poof.cgi in router logs
  • Unexpected router reboot events in system logs

Network Indicators:

  • HTTP traffic to router IP on port 80/443 with /poof.cgi in URL
  • Increased reboot frequency patterns

SIEM Query:

source="router_logs" AND (url="/poof.cgi" OR event="reboot")

📊 Metadata

CVE ID: CVE-2020-13857
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: February 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON