Leo Pate, Application Security Consultant at nVisium, a Falls Church, Va.-based application security provider, explains that the impact of exploiting the vulnerability identified in CVE-2020-3580 allows an attacker to modify the device’s configuration. “While this sounds dangerous, exploiting this vulnerability requires an administrative user to login and navigate to the webpage where the attacker uploaded the malicious code. Updating to the latest versions of the affected software on an organization’s affected devices is recommended, however, there is more that can be done to mitigate this vulnerability. Organizations can ask their internal teams if they need to use the web management interface, and if so, is it available to everyone on the internet or just internally to our organization? If the web management interface isn’t needed, then it should be disabled.”

Pate says “Security researchers are constantly disclosing PoCs for known exploits with the vast majority following unwritten responsible disclosure standards. When vulnerabilities are discovered, security researchers typically report these vulnerabilities to the organization that built the software before releasing them publicly. They work with the organization to help find a solution to the vulnerability and give them time to push out an update before releasing the information they discovered publicly. It should be noted that security researchers are under no obligation to withhold the information they discovered.”

Read entire article here!