CVE-2023-3703
📋 TL;DR
Proscend ICR Series routers with firmware version 1.76 have default administrative credentials that cannot be changed. This allows attackers to gain full administrative control of affected routers. Organizations using these routers with default configurations are vulnerable.
💻 Affected Systems
- Proscend ICR Series routers
📦 What is this software?
M331 Firmware by Proscend
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of router allowing traffic interception, network pivoting, credential theft, and deployment of persistent malware across the network.
Likely Case
Unauthorized administrative access leading to network reconnaissance, configuration changes, and potential data exfiltration.
If Mitigated
Limited impact if default credentials were changed during initial setup, though some devices may remain vulnerable.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials and network access to management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.gov.il/en/Departments/faq/cve_advisories
Restart Required: No
Instructions:
1. Access router web interface
2. Navigate to administration settings
3. Change default administrative credentials to strong, unique passwords
4. Save configuration changes
🔧 Temporary Workarounds
Change Default Credentials
allImmediately change all default administrative passwords on affected routers
Restrict Management Access
allLimit management interface access to trusted IP addresses only
🧯 If You Can't Patch
- Isolate affected routers in separate network segments with strict firewall rules
- Implement network monitoring for unauthorized access attempts to router management interfaces
🔍 How to Verify
Check if Vulnerable:
Attempt to log into router web interface using default credentials (check vendor documentation for defaults)Check Version:
Check firmware version in router web interface under System Information or via SSH/Telnet if enabledVerify Fix Applied:
Verify you cannot log in with default credentials and only new credentials work📡 Detection & Monitoring
Log Indicators:
- Failed login attempts followed by successful login with default credentials
- Configuration changes from unexpected IP addresses
Network Indicators:
- Unauthorized access to router management ports (typically 80, 443, 22, 23)
- Traffic patterns indicating router compromise
SIEM Query:
source="router_logs" (event_type="authentication" AND (username="admin" OR username="root") AND result="success")