Peplink Security Advisory: Allows files to be downloaded from Web Admin (CVE-2020-24246)

Background
Peplink firmware version before 8.1.0 RC1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin, as outlined in the CVE-2020-24246.

Products
Products The vulnerabilities were identified in the PeplinkbBalance, MAX, MediaFast, Surf SOHO, and FusionHub product families in the firmware version before 8.1.0 RC1.

Solution
It has been fixed in the firmware version 8.1.0 (Reference no. 23005) and onwards, the latest firmware can be downloaded here.

2 Likes