Through the Authentication Maze: Detecting Authentication Bypass Vulnerabilities in Firmware Binaries

Embedded web services are widely integrated into network devices such as routers and gateways. These services are often exposed to public networks, making them attractive targets for authentication bypass attacks. Such vulnerabilities allow attackers to gain privileged access without valid credentials, posing serious risks to device integrity and network security. Existing detection techniques rely heavily on manual analysis or rigid heuristics, making them ineffective against diverse and evolving authentication schemes. We present AuthSpark, a novel dynamic analysis framework for detecting authentication bypass vulnerabilities in firmware binaries. AuthSpark leverages execution trace similarity between successful and failed authentication attempts to locate credential checks. It then tracks authentication-related variable propagation to identify authentication success logic. Finally, it employs a customized greybox fuzzer with task-specific power scheduling and mutation strategies to explore bypass paths. We evaluate AuthSpark on firmware from 32 real-world devices containing 14 known vulnerabilities. AuthSpark successfully identifies 42 out of 44 credential checks and detects 14 of the known vulnerabilities. More importantly, when applied to the latest firmware versions, AuthSpark discovers six zero-day authentication bypass vulnerabilities, four of which received official assignments (three CVEs and one PSV). These results highlight AuthSpark's effectiveness and its potential to uncover critical security flaws in real-world systems.