Vulnerabilities in Hongdian Router H8951-4G-ESP software

CERT Polska coordinated disclosure identifies ten vulnerabilities in the Hongdian H8951-4G-ESP firmware (pre-build 2310271149) that collectively allow privilege escalation to root, remote command execution, unauthenticated console access, decryption of configuration backups via a hardcoded key, arbitrary CGI upload and execution, multiple XSS vectors, predictable/weak authentication cookies, and an authentication bypass via cookie overflow; the issues were reported by SEQRED and mitigated in build 2310271149.