Mercusys MW301R Password Recovery Vulnerability

A vulnerability exists in the Mercusys MW301R router, specifically in version 1.0.2 Build 190726 Rel.59423n. This issue arises within the web interface, where the 'code' argument can be manipulated, leading to a weak password recovery mechanism. The vulnerability allows authenticated users to bypass the standard password reset process and change the administrator password remotely, without physical access to the device or knowledge of the current password.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized administrative access on the affected router.

Reproduction

To reproduce this vulnerability, an authenticated user must intercept the HTTP request to the password reset endpoint. The 'code' parameter can then be modified to invoke the reset process directly, changing the administrator password without prior knowledge of the existing credentials.