It is possible for remote attackers to gain control of a target TrueMobile 2300 running firmware versions 220.127.116.11 and 18.104.22.168. Other versions are likely affected. The vulnerability appears to be in an administrative component accessed through the web-based control interface. Unauthenticated attackers can force the device to reset the administrative credentials without authorization. Once credentials have been reset an attacker can log in and perform malicious actions, potentially compromising the entire LAN behind the device.
A dialog requesting credentials may appear. The action will be performed, even if "cancel" is clicked.