CVE-2023-45744 is an improper access control vulnerability (CWE-284) identified in Peplink Smart Reader version 1.2.0 running in QEMU environments. The vulnerability resides in the web interface endpoint /cgi-bin/upload_config.cgi, which handles configuration uploads. Due to insufficient access control, an unauthenticated attacker can craft and send HTTP requests to this endpoint to modify the device's configuration without any authentication or authorization checks. This flaw compromises data integrity by allowing unauthorized configuration changes, which can lead to device misconfiguration, potential denial of service, or further exploitation. The vulnerability has a CVSS 3.1 base score of 8.3, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope is unchanged (S:U), with low confidentiality impact (C:L), but high integrity (I:H) and availability (A:H) impacts. Although no public exploits are currently known, the ease of exploitation and potential impact make this a critical concern for affected users. The vulnerability was published on April 17, 2024, and no official patches have been linked yet, emphasizing the need for immediate mitigation.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of Peplink Smart Reader devices, which may be used in network access control or security monitoring roles. Unauthorized configuration changes could disrupt network operations, degrade security posture, or enable further attacks such as network infiltration or denial of service. Critical infrastructure sectors, including telecommunications, energy, and transportation, that rely on Peplink devices for secure network access could experience operational disruptions or data integrity breaches. The unauthenticated nature of the exploit increases the threat surface, especially for devices exposed to untrusted networks or the internet. Additionally, the lack of authentication means attackers can exploit this vulnerability remotely without needing valid credentials, raising the urgency for European entities to assess exposure and implement mitigations promptly.

1. Immediately restrict access to the /cgi-bin/upload_config.cgi endpoint by implementing network-level controls such as firewall rules or access control lists to limit management interface exposure only to trusted internal networks. 2. Employ network segmentation to isolate Peplink Smart Reader devices from general user networks and the internet, reducing the attack surface. 3. Monitor HTTP traffic for unusual or unauthorized requests targeting the upload_config.cgi endpoint, using intrusion detection systems or web application firewalls with custom rules. 4. Disable or remove unnecessary web interface functionalities if possible until an official patch is released. 5. Regularly check for vendor updates or security advisories from Peplink and apply patches promptly once available. 6. Implement multi-factor authentication and strong credential policies for device management interfaces to mitigate other potential attack vectors. 7. Conduct security audits and configuration reviews of Peplink devices to detect unauthorized changes early. 8. Educate network administrators about this vulnerability and the importance of limiting device exposure.