CVE-2017-8840

MEDIUM

Peplink Balance Firmware - Unauthenticated Sensitive Information Exposure via HASync Debug Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-8840. PoCs published by X41 D-Sec GmbH.

AI-analyzed exploit summary This is a detailed security advisory from X41 D-Sec GmbH describing multiple vulnerabilities in Peplink Balance routers, including SQL injection, CSRF, XSS, file deletion, and information disclosure. It provides technical details, CVSS scores, and mitigation steps for each vulnerability.

Description

Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LAN Address, Serial Number, HA Group ID, Virtual IP, and Submitted syncid.

Exploits (1)

exploitdb WRITEUP
by X41 D-Sec GmbH · textwebappscgi
https://www.exploit-db.com/exploits/42130

This is a detailed security advisory from X41 D-Sec GmbH describing multiple vulnerabilities in Peplink Balance routers, including SQL injection, CSRF, XSS, file deletion, and information disclosure. It provides technical details, CVSS scores, and mitigation steps for each vulnerability.

Classification
Writeup 100%
Attack Type
Sqli | Xss | Dos | Info Leak | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Peplink Balance Routers (7.0.0-build1904)
No auth needed
Prerequisites: Network access to the Peplink device · Valid session cookie for some attacks
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/bugtraq/2017/Jun/1
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42130/
Patch, Third Party Advisory x_refsource_misc
https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/

Scores

CVSS v3 5.3
EPSS 0.0357
EPSS Percentile 87.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (6)
peplink/1350hw2_firmware 7.0.1
peplink/2500_firmware 7.0.1
peplink/380hw6_firmware 7.0.1
peplink/580hw2_firmware 7.0.1
peplink/710hw3_firmware 7.0.1
peplink/b305hw2_firmware 7.0.1
Published Jun 05, 2017
Tracked Since Feb 18, 2026