Advisory: Authentication Bypass and Remote Code Execution in AXESS 5
Unauthenticated remote attackers can bypass authorization requirements and access
protected API endpoints. Those endpoints allows for remote code execution.


Details
=======

Affected Product: AXESS by Axiros
Affected Versions: 4.x, 5.0.0
Vulnerability Type: Unauthenticated Remote-Code Execution
Security Risk: CRITICAL
Vendor Status: FIXED
Fixed Version: 4.3.2, 5.0.3>=
Advisory Status: PUBLISHED 
Advisory URL: https://www.nsideattacklogic.de/advisories/NSIDE-SA-2024-002
Advisory URL (text only): https://www.nsideattacklogic.de/advisories/NSIDE-SA-2024-002.txt
CVE ID: CVE-2024-33898


Introduction
============

AXESS is a carrier grade device management server, which allows to manage TR-069
and other USP devices. It is designed for Tier 1 and Tier 2 support operators
to assist end customers with their router installations.


Description
===========

NSIDE decided to wait with delay the disclosure of detailed information until
19th of September 2024. 
For further information for detection and patches, please refer to Axiros' 
security bulletin at [0]. 


Risk 
====

Unauthenticated remote attackers can fully compromise the AXESS server and 
interact with all registered routers at free will, e.g. reboot them or install 
new firmware.


Solution/Mitigation 
===================

For further information for detection and patches, please refer to Axiros' 
security bulletin at [0]. 


Disclosure timeline 
===================

2024-04-18: Vulnerability discovered and details reported to Axiros
2024-04-18: Axiros develops security patch
2024-04-19: Axiros starts distribution of a security patch
2024-04-21: Retest of the customer application
2024-06-17: Axiros agrees to CVE publication
2024-06-25: CVE published
2024-12-17: Advisory published by NSIDE 


Contact/Credits 
===============

The vulnerability was discovered during an assessment by Moritz Feldmann of
NSIDE ATTACK LOGIC GmbH.


References 
==========

[0] https://www.axiros.com/2024/03/vulnerability-in-axusermanager


Disclaimer 
==========

The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated in order
to provide as accurate information as possible. The most recent version of this
security advisory can be found at NSIDE ATTACK LOGIC GmbH's website
(https://www.nsideattacklogic.de/).