CVE-2025-56311
📋 TL;DR
This CVE describes an authenticated CSRF vulnerability in the web management interface of Shenzhen C-Data Technology Co. FD602GW-DX-R410 routers. An attacker can trick an authenticated administrator into visiting a malicious webpage that silently reboots the router, causing denial of service. Only administrators with active web interface sessions are affected.
💻 Affected Systems
- Shenzhen C-Data Technology Co. FD602GW-DX-R410
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained network disruption through repeated reboots, potentially causing extended downtime for connected devices and services.
Likely Case
Temporary network interruption when an administrator visits a malicious site, requiring manual intervention to restore connectivity.
If Mitigated
No impact if CSRF protections are implemented or administrators avoid untrusted websites while authenticated.
🎯 Exploit Status
Exploitation requires social engineering to lure authenticated administrators to malicious sites. Proof-of-concept code is available in GitHub references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
Check vendor website for firmware updates. If available, download latest firmware and apply through web interface.
🔧 Temporary Workarounds
Implement CSRF tokens
allAdd CSRF protection to the reboot endpoint if custom firmware modification is possible.
Log out after administration
allAdministrators should log out of web interface immediately after completing tasks.
🧯 If You Can't Patch
- Restrict web management interface access to trusted internal networks only
- Use browser extensions that block CSRF attempts or implement same-origin policies
🔍 How to Verify
Check if Vulnerable:
Check if firmware version is v2.2.14 and test if /boaform/admin/formReboot endpoint lacks CSRF tokens.Check Version:
Check web interface system status page or use vendor-specific CLI commands if available.Verify Fix Applied:
Verify firmware version is updated beyond v2.2.14 and test that reboot endpoint requires CSRF validation.📡 Detection & Monitoring
Log Indicators:
- Unexpected reboot events in system logs
- Multiple POST requests to /boaform/admin/formReboot from unusual sources
Network Indicators:
- Sudden loss of connectivity followed by router reboot
- HTTP requests to reboot endpoint from external IPs
SIEM Query:
source="router_logs" AND (event="reboot" OR uri="/boaform/admin/formReboot")