CVE-2022-47848 – This vulnerability allows remote attackers to b... (How to Fix)

Q: What is the severity of CVE-2022-47848?

CVE-2022-47848 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to bypass authentication and access sensitive information via the rootDesc.xml page of the UPnP service on affected Bezeq Vtech routers. Attackers can exploit this to gain unauthorized access to router configuration and potentially other sensitive data. Users of Bezeq Vtech NB403-IL and IAD604-IL routers with specific firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to bypass authentication and access sensitive information via the rootDesc.xml page of the UPnP service on affected Bezeq Vtech routers. Attackers can exploit this to gain unauthorized access to router configuration and potentially other sensitive data. Users of Bezeq Vtech NB403-IL and IAD604-IL routers with specific firmware versions are affected.

💻 Affected Systems

Products:

Bezeq Vtech NB403-IL
Bezeq Vtech IAD604-IL

Versions: NB403-IL: BZ_2.02.07.09.13.01; IAD604-IL: BZ_2.02.07.09.13.01, BZ_2.02.07.09.13T, BZ_2.02.07.09.09T

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects routers with UPnP service enabled (typically default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to reconfigure network settings, intercept traffic, install malware, or use the router as a pivot point into the internal network.

🟠

Likely Case

Unauthorized access to router configuration, exposure of network credentials, and potential modification of DNS or firewall settings.

🟢

If Mitigated

Limited information disclosure if UPnP is disabled and proper network segmentation is in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via UPnP service which is typically internet-facing on routers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain elevated privileges on the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves simple HTTP requests to the UPnP service's rootDesc.xml endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check vendor website for firmware updates and apply if available.

🔧 Temporary Workarounds

Disable UPnP Service

all

Turn off Universal Plug and Play service to prevent exploitation via the vulnerable endpoint.

Access router admin interface -> Advanced Settings -> UPnP -> Disable

Block External UPnP Access

linux

Configure firewall to block external access to UPnP ports (typically 1900/udp and 5000/tcp).

iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A INPUT -p tcp --dport 5000 -j DROP

🧯 If You Can't Patch

Isolate affected routers in a separate VLAN with strict firewall rules
Implement network monitoring for unusual UPnP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Access http://[router-ip]:5000/rootDesc.xml without authentication. If it returns router configuration data, the device is vulnerable.

Check Version:

Check router web interface -> System Information -> Firmware Version

Verify Fix Applied:

Attempt to access the rootDesc.xml endpoint after applying workarounds. Should return authentication error or connection refused.

📡 Detection & Monitoring

Log Indicators:

Multiple unauthorized access attempts to /rootDesc.xml
Unusual UPnP service activity

Network Indicators:

External IP addresses accessing internal router UPnP ports
Unusual traffic patterns to port 5000/tcp

SIEM Query:

source_ip=external AND dest_port=5000 AND uri_path="/rootDesc.xml"

📊 Metadata

CVE ID: CVE-2022-47848

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-287

Published: September 15, 2023

Last Updated: November 21, 2024

🔗 References

https://00xbyte.github.io/posts/bezeq-router-auth-bypass/ Exploit,Third Party Advisory
https://00xbyte.github.io/posts/bezeq-router-auth-bypass/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47848, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Vtech Iad604 Il Firmware by Bezeq

Vtech Iad604 Il Firmware by Bezeq

Vtech Iad604 Il Firmware by Bezeq

Vtech Nb403 Il Firmware by Bezeq

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable UPnP Service

Block External UPnP Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities