FatPipe Networks Authorization Bypass Vulnerability Scanner

FatPipe Networks WARP/IPVPN/MPVPN software is widely used by businesses to secure and optimize their wide area network (WAN) infrastructure. This software facilitates reliable, fast, and secure data transmission across multiple WAN links, ensuring uninterrupted connectivity critical for today’s cloud-based applications and services. Employed by various industries, from financial services to healthcare, these solutions are integral to maintaining operational efficiency and data security. The version 10.2.2, in particular, has been identified to contain a significant security vulnerability that needs immediate attention to protect against unauthorized access.

The identified vulnerability in FatPipe WARP/IPVPN/MPVPN version 10.2.2 allows for an authorization bypass via a hidden administrative account. This account, named cmuse, does not require a password for authentication and possesses write access to the device. Not visible in the standard Users menu, this backdoor enables attackers to bypass regular authentication methods easily, posing a high security risk by potentially allowing unauthorized persons to gain sensitive information or perform malicious actions.

The vulnerability is exploited through a simple POST request to the /fpui/loginServlet endpoint with the username parameter set to cmuser and the password parameter left empty. This bypasses the standard authentication process, granting access to the device as the hidden administrator without a visible account or password requirement. This technical oversight allows attackers to execute unauthorized operations, including data modification and access to sensitive information, without being detected by standard security protocols.

Exploiting this vulnerability could lead to several adverse outcomes, including unauthorized access to sensitive data, modification of device configurations, and potential disruption of network services. The presence of an unauthorized administrator could allow for further vulnerabilities to be exploited, leading to a cascade of security breaches. This could result in significant data loss, operational downtime, and compromise of confidential information, posing serious risks to the affected organization's reputation and financial well-being.

By utilizing the security scanning capabilities of the securityforeveryone platform, users can identify and address vulnerabilities like the Authorization Bypass in FatPipe Networks WARP/IPVPN/MPVPN. Our platform offers comprehensive vulnerability assessments, providing detailed insights into potential security weaknesses within your digital assets. With real-time scanning and reporting, you can swiftly identify risks, enabling prompt remediation to safeguard your network infrastructure. Joining securityforeveryone not only enhances your cyber resilience but also empowers you to maintain operational integrity and protect sensitive data against emerging threats.

References

• https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
• https://www.fatpipeinc.com/support/advisories.php