| Kura | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-284 — Improper Access Control |
|---|
| Gaskiya | Title
Excessive Bootloader Functionality Exposed in Production Firmware
Affected Product
Product: Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 Build Date: Nov 7 2019 Hardware Platform: Realtek RTL8685S Bootloader: Realtek RTL8685S Bootloader (LZMA) Distribution: ISP-provisioned firmware
Vulnerability Type
Improper Restriction of Critical Bootloader Functionality
CWE-284 — Improper Access Control
Severity
Critical
Attack Vector
Physical (UART / Serial Console)
Description
The Beetel 777VR1 router ships with a production bootloader that exposes a wide range of high-risk diagnostic and control commands intended for development or manufacturing use. These commands are present and fully functional in production firmware and are not restricted by secure boot policies, hardware fuses, or operational mode checks.
The exposed functionality includes arbitrary physical memory read and write operations, execution control, and firmware extraction mechanisms such as Trivial File Transfer Protocol (TFTP). These capabilities allow direct interaction with system memory and non-volatile storage prior to operating system initialization.
The presence of these unrestricted commands in production firmware violates the principle of least privilege and enables full device compromise if the bootloader interface is accessed.
Importantly, this vulnerability exists independently of whether bootloader authentication is enforced. Even with authentication added, exposing such functionality in deployed devices represents a critical security weakness.
Impact
An attacker can:
Extract the complete firmware image, enabling reverse engineering and credential recovery
Modify memory or flash contents to implant persistent malicious code
Bypass the firmware trust chain and undermine system integrity guarantees
This enables persistent compromise of the device that survives reboots and firmware resets.
Preconditions
Access to the bootloader console (e.g., via UART)
Device running an affected firmware version
Confirmed Capabilities
The following bootloader commands and behaviors have been observed:
Arbitrary memory read (r)
Arbitrary memory write (w)
Memory dump (d)
Firmware extraction via TFTP
Evidence and Detailed Steps of Reproduction:
Please see :
https://gist.github.com/raghav20232023/ea6adcd6d1eca35683570a1094164bd3
Mitigation
Remove or disable high-risk bootloader commands in production firmware
Restrict bootloader functionality based on hardware lifecycle state
Enforce secure boot and signed firmware validation
Lock or fuse bootloader debug features prior to deployment
Credit
Discovered and reported by: RAGHAV AGRAWAL
Notes for CNA (VulDB)
This vulnerability is distinct from unauthenticated bootloader access issues. It concerns the inappropriate inclusion of development-grade bootloader functionality in production devices and should not be treated as a duplicate of authentication or access-control flaws. |
|---|
| Manga | ⚠️ https://gist.github.com/raghav20232023/ea6adcd6d1eca35683570a1094164bd3 |
|---|
| Màdùmga | raghav_2026 (UID 94388) |
|---|
| Furta | 01/16/2026 09:37 (1 Wulgo 전) |
|---|
| Gargajiya | 01/25/2026 10:43 (9 days later) |
|---|
| Halitta | Shingilam |
|---|
| VulDB gite | 342800 [Beetel 777VR1 har 01.00.09/01.00.09_55 UART Interface kura hakki ndiyam] |
|---|
| Nganji | 20 |
|---|