Skip to content
Threat Feed
critical advisory

Across DR-810 Unauthenticated File Disclosure Vulnerability

Across DR-810 routers are vulnerable to unauthenticated file disclosure, allowing remote attackers to download the rom-0 backup file containing sensitive information, such as router passwords and configuration data, via a simple GET request to the rom-0 endpoint.

The Across DR-810 router contains an unauthenticated file disclosure vulnerability (CVE-2019-25706) that allows remote attackers to retrieve sensitive information. By sending a simple GET request to the /rom-0 endpoint, an attacker can download a backup file containing router passwords, configuration details, and potentially other sensitive data. This vulnerability exists because the /rom-0 endpoint does not require authentication, allowing anyone with network access to the router to retrieve the backup file. Successful exploitation leads to complete compromise of the device’s configuration and potential lateral movement within the network if credentials are reused. This vulnerability was published on 2026-04-12.

Attack Chain

  1. Attacker identifies an Across DR-810 router exposed on the network.
  2. Attacker crafts an HTTP GET request targeting the /rom-0 endpoint.
  3. The router responds with the rom-0 backup file without requiring authentication.
  4. Attacker downloads the rom-0 backup file.
  5. Attacker decompresses the downloaded rom-0 file, which is likely compressed to reduce size.
  6. The attacker parses the decompressed file to extract sensitive information such as router passwords.
  7. Attacker uses the extracted router passwords to gain administrative access to the router’s web interface.

Impact

Successful exploitation of this vulnerability allows attackers to retrieve sensitive information, including router passwords and configuration data. This can lead to complete compromise of the affected router. An attacker can then modify router settings, intercept network traffic, or potentially use the compromised router as a pivot point to access other systems on the network. If the router passwords are reused across multiple systems, the impact could extend beyond the compromised router, affecting other devices and services.

Recommendation

  • Monitor web server logs for requests to the /rom-0 endpoint on Across DR-810 routers to detect potential exploitation attempts using the provided Sigma rule.
  • Inspect network traffic for unusual downloads from Across DR-810 routers, focusing on responses from the /rom-0 endpoint.
  • Block access to the /rom-0 endpoint on Across DR-810 routers via firewall rules to prevent unauthorized access.
  • Review the provided reference URLs for additional context and potential mitigation strategies.

Detection coverage 2

Across DR-810 Rom-0 File Disclosure Attempt

critical

Detects attempts to download the rom-0 backup file from Across DR-810 routers.

sigma tactics: discovery techniques: T1595.001 sources: webserver, linux

Across DR-810 Rom-0 File Download Response

high

Detects successful downloads of the rom-0 backup file from Across DR-810 routers based on response size.

sigma tactics: credential_access sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

1

email

3

url

TypeValue
urlhttp://www.ac.i8i.ir/
urlhttps://www.exploit-db.com/exploits/46132
urlhttps://www.vulncheck.com/advisories/across-dr-810-rom-0-unauthenticated-file-disclosure
email[email protected]