KuWFi CPF908-CP5 Unauthenticated Access Control Vulnerabilities Allowing Information Disclosure and SMS Manipulation

Multiple unauthenticated access control vulnerabilities have been identified in KuWFi CPF908-CP5 devices running WEB5.0_LCD_20210125. These vulnerabilities exist within the goform/goform_set_cmd_process and goform/goform_get_cmd_process endpoints. They allow an unauthenticated attacker to access sensitive information, including the device admin username and password, alter critical device settings, and send arbitrary SMS messages.

Impact

Exploitation of these vulnerabilities could lead to unauthorized access to admin credentials and sensitive device information, unauthorized modification of device settings, and the ability to send SMS messages from the device without authentication.

Reproduction

To reproduce this vulnerability, send HTTP requests to the goform/goform_set_cmd_process endpoint with the appropriate parameters to exploit the vulnerable functionality. For example, SMS messages can be sent by using the goformId parameter set to SEND_SMS. Similarly, other critical settings can be modified or reset to factory settings by using the corresponding goformId values. The goform/goform_get_cmd_process endpoint can be accessed to retrieve admin credentials and device information.