JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings-CVE-2019-7440


# Exploit Title: JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings (aka a SetWiFi_Setting request to cgi-bin/qcmap_web_cgi)
# Exploit Author: Vikas Chaudhary
# Date: 21-01-2019
# Vendor Homepage:
# Hardware Link:
# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
# Category: Hardware
# Contact: Vikas Chaudhary
# Web:
# Tested on: Windows 10 X64- Firefox-65.0
# CVE-2019-7440
## Vulnerability Description :- The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
The issue is triggered when an unauthorized input passed via multiple POST and GET parameters are not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context
of an affected site.
# Proof Of Concept:-PoC
1- First Open BurpSuite
2- Make Intercept on
3 -Go to your Wifi Router’s Gateway in Browser [i.e ] 4-Goto wifi edit section and click on apply
5-Now capture the data and generate CSRF PoC
6-Now Change the SSID name and Password (Security Key) According to you
7-Save it as .html and send it to Victim.
8-Victim’s profile will be changed according to you

Myself Vikash Chaudhary, I was interested in general knowledge since childhood, so I thought why not share my knowledge with you, that's why I created this educational blog. I am a Youtuber, Author, Blogger, Trader, Freelancer, and Security Analyst. I have experience of 7 years in Blogging and Trading. I have written 3 books which you can find on this website.Keep Loving and Supporting... Thank you.