Mercku M6a CSRF Vulnerability Allowing Unauthorized Password Changes

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Mercku M6a devices running through version 2.1.0. This vulnerability allows attackers to change passwords without the user's consent, thereby compromising administrative access. The issue arises because the router's web interface lacks adequate CSRF protection, enabling attackers to send malicious requests that appear legitimate when executed by the logged-in user.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, leading to unauthorized administrative access on the affected device.

Reproduction

To reproduce this vulnerability, an attacker must be on the same local network as the target device. They can then send a crafted request to the router's web interface that exploits the lack of CSRF protection. This request can be automated using a script that simulates the submission of a password change form, effectively hijacking the administrative account.

Remediation

Users are advised to implement proper CSRF protection in the router's web interface. Additionally, Mercku should be notified to address this vulnerability and adhere to GPL requirements for their OpenWrt-based firmware.