CVE-2024-1623
📋 TL;DR
This vulnerability allows a local attacker to bypass authentication on the Sagemcom FAST3686 V2 Vodafone router's administration panel due to improper session timeout handling. Attackers can gain unauthorized access to router settings without valid credentials. Only users of this specific router model are affected.
💻 Affected Systems
- Sagemcom FAST3686 V2 Vodafone router
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical or network access could reconfigure router settings, intercept network traffic, change DNS settings, or disable security features, potentially leading to complete network compromise.
Likely Case
Local attackers (including malicious insiders or guests on the network) gain unauthorized administrative access to the router, allowing them to view/modify settings, but not necessarily leading to broader network compromise.
If Mitigated
With proper network segmentation and access controls, the impact is limited to the local network segment where the router resides.
🎯 Exploit Status
Exploitation requires accessing specific ASP files (Login.asp, logout.asp) without proper authentication checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Vodafone/Sagemcom for specific firmware version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/insufficient-session-timeout-vulnerability-sagemcom-router
Restart Required: Yes
Instructions:
1. Check Vodafone/Sagemcom website for firmware updates. 2. Download latest firmware. 3. Access router admin panel. 4. Navigate to firmware update section. 5. Upload and apply update. 6. Reboot router.
🔧 Temporary Workarounds
Restrict admin panel access
allLimit access to router administration interface to specific trusted IP addresses only
Change default admin credentials
allEnsure strong, unique admin passwords are set even though vulnerability bypasses authentication
🧯 If You Can't Patch
- Segment network to isolate router management interface from general user traffic
- Implement network monitoring to detect unauthorized access attempts to router admin panel
🔍 How to Verify
Check if Vulnerable:
Attempt to access router administration panel without credentials after previous session; if access is granted without login, system is vulnerable.Check Version:
Check router web interface for firmware version or use command: telnet/router CLI if availableVerify Fix Applied:
After patching, attempt to access admin panel without credentials; should be redirected to login page.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to Login.asp/logout.asp files
- Admin panel access without authentication logs
- Multiple failed login attempts followed by successful access
Network Indicators:
- HTTP requests to router IP on admin ports without preceding authentication
- Unusual configuration changes from unexpected sources
SIEM Query:
source="router_logs" AND (url="*Login.asp" OR url="*logout.asp") AND status="200" AND NOT user="authenticated"