# CVE-2021-46010 ## Predictable Session ID in Totolink A3100R V5.9c.4577 by KVS * Description The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations. * Affected version Totolink A3100R V5.9c.4577 * Root Cause Analysis The SESSION_ID is consist of `2:$TIMESTAMP:2`, while `$TIMESTAMP` is the current timestamp. An attacker can brute force the possible timestamp after a valid login session. * Proof-of-Concept {%youtube XfqUYXniMsI %}