A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.
The login attempt rate limiting mechanism is implemented solely on the client side, which means it can be easily bypassed by sending requests directly to the device, bypassing the web interface. An attacker can thus conduct a brute force attack on authentication credentials without any attempt limitation. The lack of effective server-side protection classifies the vulnerability according to CWE-307 (insufficient authentication attempt limitation) and CWE-863 (improper authorization).
An attacker can guess login credentials and obtain elevated privileges (privilege escalation) on the device, which consequently may result in complete takeover of the router, including the ability to modify network configuration, intercept network traffic, or further attack devices on the local network.
Apply patches available from the manufacturer according to references. Additionally, it is recommended to use strong, unique passwords for the administrative panel and restrict access to the management interface only to trusted IP addresses or local network (e.g., through firewall or ACL).
Connectize AC21000 G6 with firmware version 641.139.1.1256
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HConnectize Ac21000 G6
HWConnectizewszystkie wersjeConnectize Ac21000 G6 Firmware
OSConnectize641.139.1.1256
Related vulnerabilities
Privilege escalation w routerze Connectize AC21000 G6 — słabe zarządzanie poświadczeniami
Connectize AC21000 G6 — przejęcie kontroli przez zmianę hasła bez weryfikacji
Cross Site Request Forgery (CSRF) vulnerability in Connectize AC21000 G6 641.139.1.1256 allows attackers to ga...
An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via...
An Insecure Credential Management issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to...