The 1.x and 2.x firmware is vulnerable to remote file inclusion (RFI) due to allow_url_fopen being enabled and arguments are not being checked prior to being used in file operations. Since the 3.x firmware uses a redesigned WebUI it is not affected by this vulnerability. References: Solutions and Workarounds:
If you decide to do neither of the above make sure the device is not accessible from untrusted networks (such as the internet) or for untrusted users. Alternatively prevent the device from accessing untrusted networks. This vulnerability applies to the following models: |
|||
Attachments
Attachment | Size |
---|---|
![]() Thecus FW update to fix the RFI vulnerability reported as KKM-798736. The file has to be applied the same way as a regular firmware update.
MD5: 3959ddce4020239d1d324685c2f28f55 | 632 bytes |