Orange AirBox Y858 – Unauthenticated APN Configuration Information Disclosure

Finding

Discovered by Adrian “syrex1013” Dacka via investigation of the goform/getProfileList endpoint in Orange AirBox firmware, which improperly exposed APN configuration data.

Reproducibility

Issue a network request to the goform/getProfileList endpoint on an affected Orange AirBox Y858_FL_01.16_04 router. Observe returned APN profile details without authentication.

Impact

High-severity information disclosure vulnerability (CVSS 9.8). Remote attackers can extract sensitive APN configuration (name, number, username, password). Affects Orange AirBox Y858_FL_01.16_04 firmware.

Patches

No specific patch/version information is included in the API data; users should check the vendor’s firmware support for updated releases.

Workarounds

Isolate affected devices from untrusted networks and avoid exposing the router web interface publicly until patched.

References

https://github.com/remix30303/AirBoxAPNLeaks