Orange AirBox Y858 – Unauthenticated WLAN Client Information Disclosure

Finding

Identified by Adrian Dacka via analysis of the goform/getWlanClientInfo endpoint in Orange AirBox firmware; this endpoint leaked client connection data.

Reproducibility

Query the goform/getWlanClientInfo endpoint on Orange AirBox Y858_FL_01.16_04 to obtain hostnames/IP/MAC/time for connected devices.

Impact

High-severity information disclosure (CVSS 7.5). Attackers can remotely retrieve details about clients on the Wi-Fi network.

Patches

No patch/version guidance included in the API; check vendor firmware updates.

Workarounds

Block external access to the router web interface; restrict local LAN access.

References

https://github.com/remix30303/AirboxLeak