CVE-2024-51189
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts via the macList_Name_1.1.1.0.0 parameter on the /filters.htm page of affected TRENDnet routers. When exploited, it enables cross-site scripting attacks that could steal session cookies or redirect users to malicious sites. Users of TRENDnet TEW-651BR, TEW-652BRP, and TEW-652BRU devices with vulnerable firmware versions are affected.
💻 Affected Systems
- TRENDnet TEW-651BR
- TRENDnet TEW-652BRP
- TRENDnet TEW-652BRU
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator credentials, takes full control of router, redirects all network traffic to malicious sites, and installs persistent malware on connected devices.
Likely Case
Attacker steals session cookies to gain unauthorized access to router admin panel, modifies network settings, or redirects users to phishing pages.
If Mitigated
Limited to stealing session data from users who access the compromised admin interface, with no persistent compromise if proper session management is in place.
🎯 Exploit Status
Exploit requires attacker to trick authenticated user into visiting malicious link or submitting crafted form to /filters.htm page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check TRENDnet website for firmware updates. 2. Download latest firmware for your model. 3. Log into router admin panel. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.
🔧 Temporary Workarounds
Disable Remote Admin Access
allPrevent external access to router admin interface
Login to router admin → Administration → Remote Management → Disable
Use Strong Admin Credentials
allChange default admin password to complex, unique password
Login to router admin → Administration → Password → Set strong password
🧯 If You Can't Patch
- Isolate router on separate VLAN with restricted access
- Implement web application firewall rules to block XSS payloads to /filters.htm
🔍 How to Verify
Check if Vulnerable:
Access router admin panel, navigate to /filters.htm, inspect macList_Name_1.1.1.0.0 parameter for lack of input sanitizationCheck Version:
Login to router admin panel and check firmware version in status/system informationVerify Fix Applied:
Test if script tags in macList_Name_1.1.1.0.0 parameter are properly sanitized or blocked📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /filters.htm with script tags
- Multiple failed login attempts followed by successful admin access
Network Indicators:
- HTTP traffic to router IP on admin port with XSS payloads in parameters
- Unusual outbound connections from router
SIEM Query:
source_ip=router_ip AND (uri_path="/filters.htm" AND (param="macList_Name_1.1.1.0.0" AND value CONTAINS "<script>"))