Mercku M6a Root Telnet Login Vulnerability

A vulnerability in Mercku M6a devices running through version 2.1.0 allows root access via Telnet logins, using the web admin password. This issue arises from a combination of vulnerabilities, including a Cross-Site Request Forgery (CSRF) flaw that enables password resets, a hidden Telnet backdoor that can be activated through an undocumented API, and weak session token management that allows for session hijacking.

Impact

Exploitation of this vulnerability chain leads to unauthorized root access on the device, allowing full control over the router's functions and settings.

Reproduction

The vulnerability can be reproduced by first exploiting the CSRF vulnerability to reset the admin password. Once access is gained, the hidden Telnet server can be activated by sending a POST request to the router's advanced settings with the Telnet activation command. After enabling Telnet, the router can be accessed using the admin password, which grants root privileges.

Remediation

Users are advised to update to the latest firmware version and to disable remote management features if not needed. Additionally, ISPs distributing these routers should notify customers of the vulnerability and recommend a firmware update.