CVE-2024-54763 is an access control vulnerability identified in the ipTIME A2004 router firmware version 12.17.0, specifically within the /login/hostinfo.cgi component. This vulnerability allows attackers to bypass authentication mechanisms and access sensitive information stored or processed by the device. The flaw arises because the affected CGI endpoint does not properly enforce access restrictions, enabling unauthenticated remote attackers to retrieve potentially sensitive host information. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a medium severity with a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact primarily affects confidentiality and integrity, as attackers can obtain information that may facilitate further attacks or reconnaissance but does not directly affect availability. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability affects the ipTIME A2004 router, a device commonly used in home and small office networks, particularly in regions where ipTIME products have strong market presence. The lack of authentication requirement and ease of exploitation make this vulnerability a notable risk for unauthorized information disclosure.

The primary impact of CVE-2024-54763 is unauthorized disclosure of sensitive information from affected ipTIME A2004 routers. Attackers can remotely access the /login/hostinfo.cgi endpoint without authentication, potentially gaining details about the device's configuration, network environment, or other sensitive host data. This information disclosure can facilitate further targeted attacks, such as credential theft, network mapping, or exploitation of other vulnerabilities. While the vulnerability does not directly enable device takeover or denial of service, the compromised confidentiality and integrity of information can undermine network security. Organizations relying on ipTIME A2004 routers, especially in environments with sensitive data or critical infrastructure, face increased risk of reconnaissance and subsequent attacks. The medium severity rating reflects the balance between ease of exploitation and limited direct impact on availability or full system compromise. However, the widespread deployment of the affected device in certain regions could amplify the overall risk landscape.

To mitigate CVE-2024-54763, organizations should first verify if their ipTIME A2004 routers are running firmware version 12.17.0 or earlier and seek firmware updates from the vendor as soon as they become available. In the absence of an official patch, network administrators should restrict access to the router's management interfaces by implementing network segmentation and firewall rules that block external access to the /login/hostinfo.cgi endpoint. Disabling remote management features or limiting them to trusted IP addresses can reduce exposure. Monitoring network traffic for unusual requests to the vulnerable CGI endpoint can help detect exploitation attempts. Additionally, changing default credentials and enforcing strong authentication policies on router management interfaces can limit the impact of information disclosure. Regularly auditing router configurations and applying security best practices for IoT and network devices will further reduce risk.