Orange AirBox Y858 – Unauthenticated Factory Reset via setReset Endpoint

Finding

Reported by Adrian Dacka; the goform/setReset command on Orange AirBox allowed unauthorized factory resets.

Reproducibility

Send a crafted request to the goform/setReset endpoint on an affected Orange AirBox Y858_FL_01.16_04 to trigger a factory reset without authentication.

Impact

High-severity authorization bypass (CVSS 7.5). Attackers can reset the router to defaults, potentially enabling administrative access.

Patches

Not specified in the provided data; users should seek firmware updates from the manufacturer.

Workarounds

Disable remote management and ensure the local network is trusted; physically secure the device.

References

https://github.com/remix30303/AirBoxDoom