Home

Description

Tellion HN-2204AP routers contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/system_config_file management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials, wireless keys, and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network.

PUBLISHED Reserved 2025-11-26 | Published 2025-11-26 | Updated 2025-11-28 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unknown

Any version
affected

Timeline

2019-10-07:Exploit is publicly disclosed

Credits

Todor Donev finder

References

packetstorm.news/files/id/154752/ exploit

web.archive.org/web/20190525010559/https://www.tellion.com/ product

www.vulncheck.com/...204ap-unauthenticated-config-disclosure third-party-advisory

cve.org (CVE-2019-25227)

nvd.nist.gov (CVE-2019-25227)

Download JSON