CVE-2023-38945 is a critical access control vulnerability identified in several firmware versions of Multilaser RE160 and RE163V devices. These devices, commonly used in networking or IoT contexts, contain a flaw that allows attackers to bypass authentication controls by crafting specific URLs. This bypass grants attackers complete access to the application interface, enabling them to manipulate device settings, extract sensitive data, or disrupt device functionality. The vulnerability is classified under CWE-284, indicating improper access control implementation. The CVSS 3.1 base score of 8.8 reflects a high severity due to the vulnerability's remote attack vector (AV:A - adjacent network), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact covers confidentiality, integrity, and availability, meaning attackers can fully compromise the device and its data. Although no public exploits are currently known, the vulnerability's characteristics suggest it could be weaponized easily once exploit code is developed. The lack of available patches at the time of reporting increases the urgency for defensive measures. Organizations should monitor network traffic for anomalous URL requests targeting these devices and restrict access to trusted networks. Given the device versions affected, it is likely these are embedded in specific environments, possibly including home or small business networks, but also potentially in industrial or critical infrastructure settings where Multilaser products are deployed.

For European organizations, this vulnerability poses a significant risk due to the potential for full device compromise without authentication. Attackers could gain unauthorized access to network devices, leading to data breaches, manipulation of network traffic, or denial of service conditions. The confidentiality of sensitive information processed or stored on these devices could be severely impacted. Integrity could be compromised by unauthorized configuration changes or firmware manipulation, potentially creating persistent backdoors or disrupting normal operations. Availability is also at risk if attackers disable or crash the devices. The threat is particularly concerning for sectors relying on these devices for critical communications or operational technology, such as utilities, manufacturing, or telecommunications. The ease of exploitation and lack of required privileges mean that attackers within the adjacent network segment can launch attacks with minimal effort. This could facilitate lateral movement within corporate or industrial networks, increasing the overall risk profile. The absence of known exploits in the wild currently provides a window for mitigation, but the high CVSS score indicates that the vulnerability should be treated as a priority.

1. Immediately restrict network access to affected Multilaser devices by implementing network segmentation and firewall rules that limit access to trusted hosts and management networks only. 2. Monitor network traffic for unusual or suspicious URL requests targeting the vulnerable devices, using intrusion detection systems (IDS) or network monitoring tools. 3. Disable remote management interfaces if not strictly necessary, or enforce strong authentication and encryption where possible. 4. Engage with Multilaser or authorized vendors to obtain firmware updates or patches as soon as they become available; prioritize patch deployment in all affected environments. 5. Conduct an inventory of all Multilaser devices in use to identify and isolate vulnerable versions. 6. Implement compensating controls such as VPNs or zero-trust network access to reduce exposure of these devices to adjacent networks. 7. Educate network administrators and security teams about this vulnerability and the importance of monitoring and rapid response. 8. Consider deploying endpoint detection and response (EDR) solutions on connected systems to detect lateral movement attempts originating from compromised devices.