# CVE-2021-46006 ## Test page exists in Totolink A3100R V5.9c.4577 by KVS * Description Missing Authentication for Critical Function. "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication. * Affected version Totolink A3100R V5.9c.4577 * Root Cause Analysis The test page,test.asp, exists in the target device. It offers an API-like function, which is accessible by any user. An attacker with access to the victim device can configure all settings without any authentication, such as enable telnet. * Proof-of-Concept {%youtube Cw-LTTyRLXk %}