File-Disclosure — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/file-disclosure/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 12 Apr 2026 13:16:33 +0000Across DR-810 Unauthenticated File Disclosure Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/Sun, 12 Apr 2026 13:16:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/Across DR-810 routers are vulnerable to unauthenticated file disclosure, allowing remote attackers to download the rom-0 backup file containing sensitive information, such as router passwords and configuration data, via a simple GET request to the rom-0 endpoint.The Across DR-810 router contains an unauthenticated file disclosure vulnerability (CVE-2019-25706) that allows remote attackers to retrieve sensitive information. By sending a simple GET request to the /rom-0 endpoint, an attacker can download a backup file containing router passwords, configuration details, and potentially other sensitive data. This vulnerability exists because the /rom-0 endpoint does not require authentication, allowing anyone with network access to the router to retrieve the backup file. Successful exploitation leads to complete compromise of the device’s configuration and potential lateral movement within the network if credentials are reused. This vulnerability was published on 2026-04-12.

Attack Chain

  1. Attacker identifies an Across DR-810 router exposed on the network.
  2. Attacker crafts an HTTP GET request targeting the /rom-0 endpoint.
  3. The router responds with the rom-0 backup file without requiring authentication.
  4. Attacker downloads the rom-0 backup file.
  5. Attacker decompresses the downloaded rom-0 file, which is likely compressed to reduce size.
  6. The attacker parses the decompressed file to extract sensitive information such as router passwords.
  7. Attacker uses the extracted router passwords to gain administrative access to the router’s web interface.

Impact

Successful exploitation of this vulnerability allows attackers to retrieve sensitive information, including router passwords and configuration data. This can lead to complete compromise of the affected router. An attacker can then modify router settings, intercept network traffic, or potentially use the compromised router as a pivot point to access other systems on the network. If the router passwords are reused across multiple systems, the impact could extend beyond the compromised router, affecting other devices and services.

Recommendation

  • Monitor web server logs for requests to the /rom-0 endpoint on Across DR-810 routers to detect potential exploitation attempts using the provided Sigma rule.
  • Inspect network traffic for unusual downloads from Across DR-810 routers, focusing on responses from the /rom-0 endpoint.
  • Block access to the /rom-0 endpoint on Across DR-810 routers via firewall rules to prevent unauthorized access.
  • Review the provided reference URLs for additional context and potential mitigation strategies.
]]>criticaladvisorycve-2019-25706file-disclosurerouternetwork