Featured image of post CVE-2025-7881
Broken Access Control Moderate Mercusys Security WebApp

CVE-2025-7881

Broken Access Control

CVE-2025-7881: Authentication Bypass in reset password

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-7881

Summary

In authenticated sessions, it is possible to completely bypass the password‑change workflow without knowing the current admin password. On the Mercusys MW301R, the official recovery method for a forgotten password is to perform a factory reset—which requires physical access—or, within a valid session, to supply the existing password. The discovered bypass allows an attacker who is already authenticated to intercept the HTTP request and simply modify the code parameter to invoke the reset endpoint directly. This enables the administrator password to be changed remotely, without any physical interaction with the device or knowledge of the previous credential.

Details

  1. Access the router's web interface by navigating to http://192.168.1.1/ and logging in with the administrator password.
    Note: If the password is forgotten, the only recovery method is a factory reset using the physical Reset button (hold it until all LEDs light up).
  2. While logged in, perform any action that triggers a POST request with code= and id= parameters (e.g., keepalive or status check), and intercept it using a proxy to capture a valid session ID.
  3. Modify the intercepted request by changing code= to code=5, then forward the altered request to the router.
  4. Refresh the page at http://192.168.1.1/ in your browser.
  5. The interface will now prompt for a new password without asking for the current one. Set and confirm your new password to reset it remotely.

PoC

Video PoC

https://youtu.be/-mlmTZ-3PzM

Impact

The lack of session validation in this endpoint can lead to several security risks:

  • Unauthorized Data Exposure: Unauthenticated users can enumerate or retrieve sensitive internal data.
  • Privilege Escalation: Attackers might access or infer information intended only for authorized users.
  • Information Disclosure: Business logic and internal IDs (like user roles or permissions) can be leaked.
  • Reconnaissance Support: Facilitates attackers in mapping backend structures for more targeted attacks.

Reference

https://github.com/RaulPazemecxas/PoCVulDb/blob/main/CVE-2025-7881.md

Finder

Raul Pazemécxas

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy