This page lists publicly disclosed CVE vulnerabilities affecting peplink balance_two_firmware (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-49230 | An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication. | [email protected] | 8.8 | 2.05% | 2023-12-27 | 2026-06-17 |
| CVE-2023-49229 | An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device configuration. | [email protected] | 4.3 | 0.49% | 2023-12-27 | 2026-06-17 |
| CVE-2023-49228 | An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root. | [email protected] | 6.4 | 0.47% | 2023-12-27 | 2026-06-17 |
| CVE-2023-49226 | An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root. | [email protected] | 7.2 | 3.42% | 2023-12-25 | 2026-06-17 |
| CVE-2020-24246 | Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin. | [email protected] | 7.5 | 1.27% | 2020-10-07 | 2026-06-16 |