CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-24051

CVSS 9.8v3.1pub. 2023-12-04upd. 2024-11-21

A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.

🤖 AI Analysis
How it works

The login attempt rate limiting mechanism is implemented solely on the client side, which means it can be easily bypassed by sending requests directly to the device, bypassing the web interface. An attacker can thus conduct a brute force attack on authentication credentials without any attempt limitation. The lack of effective server-side protection classifies the vulnerability according to CWE-307 (insufficient authentication attempt limitation) and CWE-863 (improper authorization).

Impact

An attacker can guess login credentials and obtain elevated privileges (privilege escalation) on the device, which consequently may result in complete takeover of the router, including the ability to modify network configuration, intercept network traffic, or further attack devices on the local network.

Mitigation & patch

Apply patches available from the manufacturer according to references. Additionally, it is recommended to use strong, unique passwords for the administrative panel and restrict access to the management interface only to trusted IP addresses or local network (e.g., through firewall or ACL).

Who is affected

Connectize AC21000 G6 with firmware version 641.139.1.1256

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Connectize Ac21000 G6

    HW
    Connectize
    wszystkie wersje
  • Connectize Ac21000 G6 Firmware

    OS
    Connectize
    641.139.1.1256
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2023-24049CRITICAL9.8PL ✓ten sam produkt

Privilege escalation w routerze Connectize AC21000 G6 — słabe zarządzanie poświadczeniami

CVE-2023-24052CRITICAL9.8PL ✓ten sam produkt

Connectize AC21000 G6 — przejęcie kontroli przez zmianę hasła bez weryfikacji

CVE-2023-24048HIGH8.8ten sam produkt

Cross Site Request Forgery (CSRF) vulnerability in Connectize AC21000 G6 641.139.1.1256 allows attackers to ga...

CVE-2023-24046MEDIUM6.8ten sam produkt

An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via...

CVE-2023-24047MEDIUM6.8ten sam produkt

An Insecure Credential Management issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to...