Description
Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data.
Published: 2026-04-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information disclosure via unauthenticated download of router backup file
Action: Patch
AI Analysis

Impact

Across DR-810 firmware contains a flaw that lets an attacker issue a simple HTTP GET request to the rom-0 endpoint. The request is accepted without any authentication, causing the router to send the compressed backup file that includes configuration data such as router passwords and other sensitive settings. This exposure aligns with CWE‑538, which describes the unintended release of sensitive information to unauthorized parties. The result is that confidentiality of the device’s credentials and configuration is compromised, potentially enabling full control of the device.

Affected Systems

The affected product is the Across DR‑810 router firmware, specifically the rom‑0 backup functionality. Any device running this firmware version that exposes the management interface to a network is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 marks this vulnerability as high severity. No authentication is required, and the exploit can be carried out by sending a single GET request to the exposed endpoint, making it highly likely to be exploited by remote attackers. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, but the lack of authentication and the simple payload provide a straightforward attack path. At high impact, an unauthorized party can obtain router configuration and passwords, paving the way for further compromises.

Generated by OpenCVE AI on April 12, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest firmware update from Across that removes or protects the rom‑0 endpoint.
  • Configure network firewalls to restrict access to the router’s management interface, allowing only trusted IP ranges.
  • Disable the backup feature or delete existing backup files on the device if the feature is not required.
  • Verify that the rom‑0 endpoint is no longer accessible by attempting a GET request from an external location.

Generated by OpenCVE AI on April 12, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Across
Across dr-810
Vendors & Products Across
Across dr-810

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data.
Title Across DR-810 ROM-0 Unauthenticated File Disclosure
First Time appeared Furunosystems
Furunosystems acera 810 Firmware
Weaknesses CWE-538
CPEs cpe:2.3:o:furunosystems:acera_810_firmware:rom-0:*:*:*:*:*:*:*
Vendors & Products Furunosystems
Furunosystems acera 810 Firmware
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Across Dr-810
Furunosystems Acera 810 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T18:16:20.733Z

Reserved: 2026-04-12T12:12:00.220Z

Link: CVE-2019-25706

cve-icon Vulnrichment

Updated: 2026-04-13T15:50:40.556Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-12T13:16:33.470

Modified: 2026-04-13T15:01:43.663

Link: CVE-2019-25706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:55:51Z

Weaknesses