CVE-2021-25811
📋 TL;DR
This vulnerability in MERCUSYS Mercury X18G routers allows attackers to cause a denial of service by sending a crafted value to the POST listen_http_lan parameter. After exploitation and device restart, the web interface becomes inaccessible until the configuration file is manually repaired. This affects users of MERCUSYS Mercury X18G routers running firmware version 1.0.5.
💻 Affected Systems
- MERCUSYS Mercury X18G
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Permanent denial of service requiring physical access to reset the device or manual configuration file repair, rendering the router's web management interface permanently inaccessible.
Likely Case
Temporary denial of service until the device is manually reset or the configuration file is corrected, disrupting network management capabilities.
If Mitigated
No impact if the vulnerable parameter is not exposed to untrusted networks or if input validation is implemented.
🎯 Exploit Status
Exploitation requires sending a single crafted HTTP POST request to the vulnerable parameter. The proof-of-concept is publicly available in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
No official patch is available. Check vendor websites (mercurycom.com.cn, mercusys.com) for firmware updates. If an update becomes available, download and install it through the router's web interface.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to the router's web management interface to trusted internal networks only.
Disable Remote Management
allTurn off remote management features if enabled, restricting web interface access to the local network.
🧯 If You Can't Patch
- Isolate the router on a separate VLAN with restricted access to prevent unauthorized network connections.
- Implement network monitoring to detect and block suspicious POST requests to the listen_http_lan parameter.
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in web interface under System Status or similar section. If version is 1.0.5, the device is vulnerable.Check Version:
No CLI command available. Check via web interface at http://router-ip/ under system information.Verify Fix Applied:
Verify firmware version has been updated to a version later than 1.0.5. Test web interface functionality after any configuration changes.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to router management interface with crafted listen_http_lan parameter values
- Multiple failed web interface access attempts followed by service disruption
Network Indicators:
- HTTP POST requests containing malicious listen_http_lan parameter values directed at router IP
- Sudden loss of web interface accessibility on port 80/443
SIEM Query:
source_ip="router_ip" AND http_method="POST" AND uri_path CONTAINS "/cgi-bin/luci" AND http_params CONTAINS "listen_http_lan"🔗 References
- https://github.com/pokerfacett/MY_REQUEST/blob/master/Mercury%20Router%20X18g%20v1.0.5%20Denial%20of%20Service.md
- https://www.mercurycom.com.cn/product-521-1.html
- https://www.mercusys.com/en/
- https://github.com/pokerfacett/MY_REQUEST/blob/master/Mercury%20Router%20X18g%20v1.0.5%20Denial%20of%20Service.md
- https://www.mercurycom.com.cn/product-521-1.html
- https://www.mercusys.com/en/
