CVE-2022–35203

An access control issue in TrenDnet

Discovered by->Shruti Kapoor

model number->TV-IP572PI

version-> 1.0

vendor homepage->http://trendnet.com

BUG DESCRIPTION

A vulnerability in the TrenDnet Web Administrative Interface on Version 1.0 Could allow an Unauthenticated Remote User to access a sensitive part of the system with a high privileged account.

This Vulnerability is Due to the Presence of a Default Account that has a default username “admin” and default password “admin” in it. An attacker could exploit this vulnerability by using this default account to connect to the affected system. A successful exploit could allow the attacker to obtain read and write access to system data, including the configuration of the affected devices. The attacker would gain access to a sensitive portion of the system and have full administrative rights to control the device. Leading to an Increase in the Severity of the Vulnerability.

Attack Vector:

A Malicious attacker could exploit this vulnerability by remotely Logging in into an affected system by using the Default Credentials.

Steps to Reproduce:

1.Go to TrenDnet admin panel

2. After this you can give the username “admin” and the password “admin” and click on sign in

3.Now when you are Redirected to the Administrative Panel, you will be able to Read and Control the Device and also be able to change the device’s Configuration Remotely.

Proof Of Concept :

Thank You for reading :)