CVE-2024-28288
📋 TL;DR
The Ruijie RG-NBR700GW router version 10.3(4b12) lacks proper cookie verification during password reset, allowing attackers to reset the administrator password without authentication. This enables unauthorized administrative access to the router, potentially disrupting enterprise operations. Organizations using this specific router version are affected.
💻 Affected Systems
- Ruijie RG-NBR700GW
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete network compromise: attacker gains administrative control, reconfigures network settings, intercepts traffic, deploys malware, or disables the router entirely.
Likely Case
Unauthorized administrative access leading to network disruption, configuration changes, or data interception.
If Mitigated
Limited impact if router is behind firewalls with strict access controls and network segmentation.
🎯 Exploit Status
Exploit requires sending crafted HTTP requests to the password reset endpoint without proper cookie validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check Ruijie official website or contact vendor for firmware updates. If update available, download and apply via router's web interface or CLI.
🔧 Temporary Workarounds
Restrict Management Interface Access
allLimit access to the router's web management interface to trusted IP addresses only.
Configure firewall rules to allow only specific IPs to access router management ports (typically 80/443).
Disable Remote Management
allTurn off remote management features if not required.
Access router settings → Administration → Remote Management → Disable.
🧯 If You Can't Patch
- Isolate the router in a separate VLAN with strict access controls.
- Implement network monitoring for unusual administrative login attempts or configuration changes.
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via web interface (System → Status) or CLI command 'show version'.Check Version:
show versionVerify Fix Applied:
Verify firmware version is updated beyond 10.3(4b12) or test password reset functionality with invalid cookies.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful admin login from new IP
- Password reset requests without valid session cookies
Network Indicators:
- HTTP POST requests to password reset endpoints without proper cookie headers
- Unusual administrative access from unexpected IP addresses
SIEM Query:
source="router_logs" AND (event="password_reset" OR event="admin_login") AND cookie="missing"🔗 References
- https://github.com/adminquit/CVE-2024-28288/blob/d8223c6d45af877669c27fa0a95adfe51924fa86/CVE-2024-28288/CVE-2024-28288.md
- https://pan.baidu.com/s/1H4J_eA6wSCnDEsUSAWIzsg?pwd=CVE1
- https://github.com/adminquit/CVE-2024-28288/blob/d8223c6d45af877669c27fa0a95adfe51924fa86/CVE-2024-28288/CVE-2024-28288.md
- https://pan.baidu.com/s/1H4J_eA6wSCnDEsUSAWIzsg?pwd=CVE1
