CVE-2025-63225: Eurolab ELTS100_UBX Broken Access Control Vulnerability Description The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation. Vendor Information Vendor: Eurolab s.r.l Vendor Homepage: http://eurolab-srl.com/ Affected Products Product: Eurolab ELTS100_UBX Hardware Version: E118 Firmware Version: ELTS100v1.UBX Vulnerable Endpoints /crypto/keypage.htm /crypto/savefile.cgi /system_setup.htm /protect/config.htm /firmware/now_upgrade.htm /bootloader /mpfsupload Attack Type Type: Broken Access Control Classification: Improper Authorization Impact Severity: High Attackers can: View and modify cryptographic keys Change system settings Modify network configuration Upload new firmware Access bootloader Attack Vector Access Method: Remote, over HTTP Authentication Requirement: None (unauthenticated) Exploit Complexity: Low (simple HTTP requests) Proof of Concept (PoC) 1. Exploit: Access Cryptographic Keys 2. Exploit: Modify System Settings 3. Exploit: Modify TCP/IP Configuration 4. Exploit: Upload and Install Firmware Automated Exploit (Python PoC Script) Vulnerability Type Info Vulnerability Type: Broken Access Control CWE-ID: - CWE-284 - Improper Access Control - CWE-285 - Improper Authorization Impact Info Impact Type: - Privilege Escalation: Unauthenticated attackers can gain administrative access. - Configuration Modification: Attackers can modify device settings, including network configuration. - Firmware Injection: Attackers can upload malicious firmware. - System Compromise: Attackers can take full control of the device. Discovered by Mohamed Shahat Suggested Fixes Authentication: Implement mandatory authentication for all sensitive endpoints. Access Control: Restrict administrative endpoints to trusted IP addresses only. Enforce role-based access control (RBAC). Input Validation: Validate all inputs, including POST and GET parameters. Firmware Security: Require cryptographic signature verification before allowing firmware updates. Session Management: Ensure secure session handling and prevent session fixation attacks. Mitigation & Workarounds Until a patch is released, administrators should: Restrict access to sensitive endpoints using firewall rules. Monitor network traffic for suspicious activity. Disable firmware update access from untrusted sources. Require VPN or secure tunnel for remote administrative access.