The Phillipine Long Distance Telephone (PLDT) company provides internet access in the Phillippines. The SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT contain multiple vulnerabilities. The BaudTec ADSL2+ Router may also be affected.
PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991
A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.
The CERT/CC is currently unaware of a practical solution to this problem.
Thanks to Eskie Cirrus James Maquilang for reporting this vulnerability to us.
This document was written by Garret Wassermann.