CVE-2023-49255 is a critical vulnerability identified in the Hongdian H8951-4G-ESP router, classified under CWE-306 (Missing Authentication for Critical Function). The core issue lies in the router's console interface, specifically at the 'data' field, which is accessible without any authentication. While modifying the router's configuration requires a logged-in user session, the vulnerability arises because the session state is shared among users. This means that if an authenticated user with administrative privileges is logged in, an unauthenticated or anonymous user can exploit this shared session state to execute commands with the same privileges as the authenticated user. This includes the ability to use the webadmin service configuration commands to create new administrative users with chosen passwords, effectively granting full control over the device to an attacker without needing to authenticate. The vulnerability has a CVSS 3.1 score of 9.8, indicating a critical severity level, with attack vector being network-based, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. No public exploits are currently known in the wild, but the nature of the flaw makes it highly exploitable remotely. The vulnerability was published on January 12, 2024, and affects the Hongdian H8951-4G-ESP router, a device likely used in industrial or enterprise environments given the vendor's profile. The lack of authentication on critical functions combined with session state sharing represents a severe design flaw that can lead to complete device takeover and persistent unauthorized access.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Hongdian H8951-4G-ESP routers in their network infrastructure. The ability for an unauthenticated attacker to gain administrative access can lead to full compromise of the affected routers, enabling attackers to intercept, modify, or disrupt network traffic, deploy malware, or use the device as a pivot point for further attacks within the network. This can severely impact confidentiality by exposing sensitive data, integrity by allowing unauthorized configuration changes, and availability by potentially disabling network services. Critical infrastructure operators, industrial control systems, and enterprises using these routers could face operational disruptions, data breaches, and compliance violations under GDPR and other regulations. The shared session state flaw also means that even legitimate users logged into the device are at risk of session hijacking, increasing the attack surface. Given the router’s role in 4G connectivity, organizations relying on cellular backup or primary connections may experience outages or data interception. The absence of known exploits in the wild does not reduce the urgency due to the ease of exploitation and critical impact.

Immediate mitigation steps include isolating the affected Hongdian H8951-4G-ESP routers from untrusted networks to limit exposure. Network segmentation should be enforced to restrict access to the router’s management interface only to trusted administrative hosts. Administrators should monitor network traffic for unusual access patterns or unauthorized configuration changes. Since no patches are currently available, organizations should consider replacing affected devices with alternatives from vendors with a stronger security track record. If replacement is not immediately feasible, implementing strict firewall rules to block access to the router’s webadmin interface from external networks is critical. Additionally, enforcing multi-factor authentication (MFA) on management interfaces, if supported, can reduce risk. Regularly auditing user sessions and logs for signs of session hijacking or unauthorized access attempts is recommended. Vendors and users should engage with Hongdian to prioritize the release of a security patch addressing the authentication and session management flaws. Finally, organizations should update their incident response plans to include scenarios involving router compromise and ensure backups of router configurations are maintained securely.