A high-severity privilege escalation vulnerability has been identified in multiple ZBL EPON ONU Broadband Router products. This flaw allows an attacker who already has limited administrative access to the device to gain full administrative control. Successful exploitation could lead to a complete compromise of the network router, enabling unauthorized configuration changes, traffic interception, and further attacks on the internal network.

This is a privilege escalation vulnerability within the web-based management interface of the ZBL routers. The flaw exists because certain configuration endpoints fail to properly verify the privilege level of an authenticated administrative user. An attacker with credentials for a low-privilege admin account can bypass these insufficient access controls by crafting and sending direct HTTP requests to these sensitive endpoints, allowing them to perform actions reserved for high-privilege administrators, such as changing system settings, creating new admin accounts, or modifying firewall rules.

This is a High severity vulnerability with a CVSS score of 7.5. A successful exploit would allow an attacker to gain complete control over a critical network infrastructure device. The potential consequences include unauthorized modification of network configurations, leading to service disruption or denial of service (DoS). An attacker could also intercept or redirect network traffic (Man-in-the-Middle attack) to steal sensitive information, or use the compromised router as a pivot point to launch further attacks against other assets on the internal network.

Immediate Action: The primary remediation is to update the firmware of all affected ZBL devices to a patched version immediately. In parallel, organizations must conduct a thorough review of all user permissions and access controls on these devices, ensuring that only trusted personnel have administrative access and that the principle of least privilege is strictly enforced.

Proactive Monitoring: Monitor device audit logs for any configuration changes originating from user accounts with known limited privileges. Network administrators should watch for unusual traffic patterns to or from the device's management interface and implement alerts for the creation of new administrative accounts or unexpected system reboots.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Restrict access to the device's management interface to a dedicated, secure management network or a limited set of trusted IP addresses.
• Temporarily disable any non-essential, low-privilege administrative accounts until the patch can be deployed.
• Utilize network segmentation to limit the potential "blast radius" should the device be compromised.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical role these routers play in a network, we strongly recommend that organizations prioritize the immediate patching of all affected ZBL devices. Although this vulnerability is not currently listed on the CISA KEV catalog, its impact is significant. If patching cannot be performed immediately, the compensating controls listed above, particularly restricting administrative access, must be implemented without delay to reduce the attack surface and prevent a low-level compromise from escalating into a full network breach.