Router Security Router Bugs Flaws Hacks and Vulnerabilities Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I spoke about Router Security at the O'Reilly Security Conference in New York City on Nov. 1, 2017. See a PDF of the slides

If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck. Below is what I base this opinion on. This list is far from complete.

You may be thinking that all software is buggy, but router software is probably worse. One reason for this is your ISP, which may have configured the router/gateway in an insecure way, either on purpose, to allow spying, or out of laziness or incompetence. Another reason is cost: router software is developed as cheaply as possible. Security is not the prime directive. Look the box a router ships in - none brag about security.

BIG BUGS: A number of flaws stand out. The port 32764 issue from January 2014 and April 2014 for example. A router backdoor was exposed, then instead of being removed, was just better hidden. Another flaw not to be missed is the Misfortune Cookie from December 2014. Then, of course, there is WPS, the electronic equivalent of a "hack me" sign on your back. Other huge flaws were the one with UPnP and the one involving USB file sharing.

THE US GOVERNMENT IS MAD AS HELL: In January 2017, the FTC accused D-Link of leaving its routers and webcam devices vulnerable to hackers. A lawsuit alleged that D-Link "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access." D-Link was also accused of misleading the public about the security of their devices. D-Link denied they did anything bad. More below.

This page has bugs from 2017 and 2016. You can go straight to 2016 bugs or see bugs from individual years for 2015 through 2012. The 2012 page includes some older bugs too. To see all the bugs on one B_I_G web page (makes it easy to find all the issues for any one manufacturer) click this button



Dasan refuses to fix its buggy router

A potent botnet is exploiting a critical router bug that may never be fixed
by Dan Goodin of Ars Technica   Feb. 14, 2018
In October 2017 an independent researcher finds a bug in the Dasan Networks GPON ONT WiFi Router H640X . Specifically, the login_action function uses strcpy without checking the length of input from the client request. This creates a buffer overflow that can lead to remote code execution. It is not clear if the bug also exists in other Dasan devices. The researcher enlists SecuriTeam to contact Dasan. That does not go well, Dasan bascially ignores them. SecuriTeam publishes the details of the flaw in early December 2017. In early February 2018, Radware detects a new botnet where almost all the devices are from Dasant. They call it the Satori.Dasan botnet. Shodan reports about 40,000 devices listening on port 8080, with over half located in Vietnam. Satori infections don't survive a device reboot, so that's one defensive measure. If your router can set firewall rules, block which is the C and C server for the botnet.

Netgear has fixed multiple bugs including a doozy

Wish you could log into someone's Netgear box without a password? Summon a &genie=1
by Iain Thomson for The Register   February 9, 2018
Good news: Netgear fixed a lots of bugs affecting many of their routers. Bad news: lots of bugs, patching is a manual process that few router owners do and the flaws were found by Trustwave, not by Netgear.
-- The worst bug is vulnerable on the LAN side only, assuming Remote Administration is disabled. Anyone that can access the web-based configuration interface, can gain control of vulnerable routers without a password by simply adding "&genie=1" to the URL. The Security Checklist page has suggested ways to lock down LAN side access to a router (item 3). The flaw was discovered in March 2017 and the patch released in September 2017. 17 router models are affected.
-- Another flaw, in the genie_restoring.cgi script can be abused to extract files and passwords both from the router and from USB flash drived plugged into the router. 17 routers vulnerable here too. The flaw was discovered in March 2017 and the patch issued in August 2017.
-- A bug with WPS, leaves 6 Netgear routers vulnerable to arbitrary code execution as root for two minutes after the WPS button is pressed. This is due to a failure to sanitize hostnames. Simply put, if an attacker can press the WPS button on the router, the router can be completely compromised. This flaw was found in March 2017 and the patch was released in Oct. 2017.
-- The least serious flaw affects 6 routers. After logging in, root level command execution is possible via the device_name parameter on the lan.cgi page. Trustwave also found a three-stage attack leveraging three separate issues that lets any user connected to the router run OS commands as root on the device without providing any credentials.
-- See the October 2017 and November 2017 descriptions below of the bugs that Netgear fixed. Fixing bugs in a somewhat timely manner is good, but at some point you have to lose trust in their code base. And timely is a matter of opinion, these bugs took roughly 6 months to get fixed. Finally, the Netgear bug descriptions (here and here for example) say nothing at all about the nature of the problem. That does not inspire confidence.

Further proof that routers contain old software with known vulnerabilities

Comprehensive Firmware Binary Scan Finds KRACK is "Tip of Iceberg" For Known Wi-Fi Security Vulnerabilities
Press Release from Insignary February 6, 2018
In January 2016, the Wall Street Journal reported on home routers with old software containing known bugs - Rarely Patched Software Bugs in Home Routers Cripple Security. This report, from Insignary, shows that nothing has changed. Insignary does binary-level software composition analysis. In other words, they scan executable code (called firmware when dealing with routers) looking for signatures of open source software, and from those signatures, determine the version/release of the software in the executable code. In November 2017 they scanned the firmware of 32 Wi-Fi routers and found numerous known security vulnerabilities. No zero days here. The routers were from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link. Every router had a security vulnerability. A majority of the examined firmware contained components with more than 10 "Severity High" security vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities. This report is, of course, a plug for their detection software, but that doesn't change the results.


Asus router flaw has been fixed

FortiGuard Labs Discovers Vulnerability in Asus Router
by David Maciejak of Fortinet's FortiGuard Labs   January 30, 2018
Bug fixes have been released for the ASUS RT-N18U, RT-AC66U, RT-AC68U, RT-AC86U, RT-AC87U, RT-AC88U, RT-AC1900, RT-AC2900, RT-AC3100, RT-AC3200 and RT-AC5300. The flaw seems fairly minor. An attacker can forge an HTTP request that injects operating system commands that get executed as root. The flaw is due to unsanitized parameters passed to the apply.cgi script. It is mostly a LAN side attack, unless remote administration is enabled via HTTP. Asus fixed this quickly. It was reported to them Dec 23, 2017 and 4 days later they gave FortiGuard a patch to verify. The fix started rolling out Jan. 2, 2018.

An old D-Link HNAP flaw exploited by a new botnet

Masuta : Satori Creators' Second Botnet Weaponizes A New Router Exploit.
by Ankit Anubhav, Principal Researcher, NewSky Security   January 23, 2018
Quoting: "We analyzed two variants of an IoT botnet named 'Masuta' where we ... discovered a router exploit being weaponized for the first time in a botnet campaign ... The weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol. It is possible to craft a SOAP query which can bypass authentication by using hxxp:// Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution."

Two Asus router flaws have been fixed

Advisory - Asus Unauthenticated LAN Remote Command Execution
by SecuriTeam a division of Beyond Security   January 22, 2018
Two vulnerabilities in AsusWRT (the firmware on Asus routers) version can lead to remote command execution from the LAN side. Independent security researcher, Pedro Ribeiro discovered the flaws. Asus has released patches as of version One flaw is that the handle_request() routine allows an unauthenticated user to perform a POST request for certain actions. An attacker can trigger the vulnerabilities and reset the admin password. This, in turn, lets an attacker login to the web interface, enable SSH, reboot the router and login via SSH. Another flaw is in the same code that was reported buggy in 2015, the infosvr service which listens on LAN side UDP port 9999. The buggy routers are the RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U.

MikroTik and Ubiquiti Routers defaced due to default passwords

Tens of Thousands of Defaced MikroTik and Ubiquiti Routers Available Online
by Catalin Cimpanu of Bleeping Computer   January 10, 2018
If you don't change the default password, you get what you deserve. It seems that, as a prank, someone has been changing the names of routers. Ankit Anubhav of cyber-security company NewSky Security, first ran across this back in July. He estimates that over 40,000 Ubiquiti routers have been defaced along with 7,300 MikroTik routers. The names given to the routers are "HACKED FTP server," "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," and "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD."

Flaws in D-Link routers in Israel

Advisory - D-Link DSL-6850U Multiple Vulnerabilities
by SecuriTeam a division of Beyond Security   January 1, 2018
An independent security researcher reported two flaws in the D-Link DSL-6850U versions BZ_1.00.01 - BZ_1.00.09. The router is manufactured by D-Link for Bezeq in Israel. Bezeq was informed of the vulnerability on June 9, and released patches to address the vulnerabilities. One flaw was a default account that could not be disabled. The userid and password were both "support". In addition, remote administration was enabled by default and a flaw allowed for Remote Command Execution.



Security flaw in the GoAhead web server

GoAhead ... and pwn us: Remote hijacking flaw in Internet of Things gear
by Shaun Nichols of The Register   December 20, 2017
We have seen this movie before. Web server software included in routers and IoT devices is buggy and easily exploited. Bug fixes are available but many/most vulnerable devices will never get updated. The web server software is GoAhead from a company called Embedthis which says "GoAhead is the world's most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of ... devices and applications. For example: printers, routers, switches, IP phones, mobile applications, data acquisition, military applications and WIFI gateways." Embedthis publicly documented the flaw (see below) on June 12, 2017. The bug was fixed in version 3.6.5 which has been available since then. Security firm Elttam, which found the flaw, blogged about it and provided technical details on Dec. 18, 2017. Counts of Internet accessible devices running the GoAhead server number over 500,000 but they are not all vulnerable. For one thing, the bug is in CGI and Embedthis claims that many of their customers do not use CGI. They claim to have been discouraging its use for more than 10 years. CGI is slower, bigger and less secure than competing services: in-memory scripting and URL-to-C binding. In addition, vulnerable CGI programs have to be dynamically linkable and quite a few devices use statically linked binaries instead.

Netgear WiFi Family website hacked for two years

Vigilante Removes Malware from Netgear Site After Company Fails to Do So for 2 Years
by Catalin Cimpanu of Bleeping Computer   December 15, 2017
A few years ago, Netgear created a website,, that had articles on the usage of various Netgear technologies. The site was based on WordPress and not secured correctly. As a result, the site has been compromised since February 2015. Scammers abused the site to send spam that directed people to fully functional fake tech support sites that were hosted on the WiFi Family site. After this got publicity, the website was finally taken offline on December 16, 2017.

Satori botnet abusing routers

Warning: Satori, a Mirai Branch Is Spreading in Worm Style on Port 37215 and 52869
by Li Fengpei of Qihoo 360 Netlab   December 5, 2017
Quoting: "About 12 hours ago ... we noticed a new version of Satori (a mirai variant which we named Satori), starting to propagate very quickly on port 37215 and 52869. Two new exploits ... have been added ... during last recent 12 hours we have seen 263,250 different IPs scanning port 37215, and 19,403 IPs scanning port 52869." They have not yet disclosed information on the flaw involving port 37215. The bug being exploited on port 52869 is derived from CVE-2014-8361. It is not clear, to me at least, if this is the same botnet that Dan Goodin wrote about below.
UPDATE: Script Kiddie Responsible for Large Satori Botnet by Lucian Constantin in Security Boulevard December 22, 2017. Security researchers at Check Point Software believe that the Satori botnet of more than 250,000 routers was created by an amateur hacker with limited skills. The botnet abuses a known bug in the Miniigd UPnP SOAP service on port 52869 and a new bug in Huawei HG532 home gateways on port 37215. Huawei exposed a configuration service intended to only be used on the LAN side to the Internet. It is scary that a relatively unskilled attacker can build a large botnet capable of devastating attacks. It highlights the poor state of router and IoT security across the internet.

A botnet spreads by attacking un-named flaws in Huawei Home Gateways

100,000-strong botnet built on router 0-day could strike at any time
by Dan Goodin of Ars Technica   December 5, 2017
First off, clickbait. There are many botnets that could strike at any time. It is, sadly, the new normal. The buggy devices are the Huawei EchoLife Home Gateway and the Huawei Home Gateway. The bug was first disclosed by Check Point Software on Nov. 27, 2017. The botnet spreads both by abusing a bug and also by guessing 65,000 different userid/password combinations. It does not abuse Remote Administration. This is the second botnet, after Reaper, to spread by abusing flaws in routers. There is much we do not know:
--There are multiple Huawei Home Gateway models and it is not clear if some or all are buggy
--What firmware versions have the bug?
--What userid/passwords is the botnet guessing
--Defense. The article says nothing at all about defending against the flaw. Typical of clickbait.
--Does Huawei know about the bug? Acknowledge it? Have they issued a fix?


Still more Good News, Bad News with Netgear

NETGEAR Security Advisories   from Netgear
The good news is that Netgear seems to be on the ball, fixing bugs in their router software.
The bad news is that there are sooooooooooo many bugs.
Last month, I summarized the bug reports, this month, they are listed below.
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2156
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2153
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2152
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2150
11/22/2017 Security Advisory for Authentication Bypass on Routers, PSV-2017-2148
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2147
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2146
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2145
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2144
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2141
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2139
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2138
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2136
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2135
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2134
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2016-0096
11/21/2017 Security Advisory for Authentication Bypass on R6300v2, PLW1000v2, and PLW1010v2, PSV-2016-0069
11/21/2017 Security Advisory for Authentication Bypass on Some Routers and Gateways, PSV-2016-0061
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2154
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2143
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2017-2142
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2140
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Some Routers and Extenders, PSV-2017-0706
11/21/2017 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2017-0670
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-0615
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-0335
11/21/2017 Security Advisory for Cross-Site Request Forgery on Some Routers, PSV-2017-0331
11/21/2017 Security Advisory for Authentication Bypass on Some Routers, PSV-2017-0330
11/21/2017 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2017-0324
11/21/2017 Security Advisory for Stored Cross-Site Scripting on Some Routers, PSV-2017-0323
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2016-0256
11/21/2017 Security Advisory for Security Misconfiguration on Some Extenders, PSV-2016-0253
11/21/2017 Security Advisory for Security Misconfiguration on Some Extenders, PSV-2016-0115
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers and Extenders, PSV-2016-0104
11/21/2017 Security Advisory for Cross-Site Request Forgery on Some Routers, PSV-2016-0101
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2133
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2017-2517
11/21/2017 Security Advisory for Arbitrary File Read on Some Routers and Extenders, PSV-2017-0319
11/20/2017 Security Advisory for Security Misconfiguration on Routers, PSV-2017-2124
11/20/2017 Security Advisory for Pre-Authentication Buffer Overflow on Routers, PSV-2017-0791
11/20/2017 Security Advisory for Post-Authentication Command Injection on Routers, PSV-2017-0329
11/20/2017 Security Advisory for Cross Site Request Forgery on Routers and Modem Routers, PSV-2017-0333
11/20/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-2756
11/20/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2016-0120
11/17/2017 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2017-2157
11/17/2017 Security Advisory for Post-Authentication Stack Overflow on R8300 and R8500, PSV-2017-2227
11/16/2017 Security Advisory for Post-Authentication Stack Overflow on R8000, PSV-2017-2229
11/16/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2017-2451
11/16/2017 Security Advisory for Security Misconfiguration on Some Routers and Extenders, PSV-2017-2212
11/16/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2210
11/16/2017 Security Advisory for Denial of Service on Some Routers, PSV-2017-0648
11/16/2017 Security Advisory for Arbitrary File Read on DST6501 and WNR2000v2, PSV-2017-0425
11/16/2017 Security Advisory for Post-Authentication Command Injection on Routers, PSV-2017-0320
11/15/2017 Security Advisory for Cross Site Request Forgery on Extenders, PSV-2016-0130
11/15/2017 Security Advisory for Arbitrary File Read on Routers and Extenders, PSV-2016-0122
11/15/2017 Security Advisory for Post-Authentication Buffer Overflow on Powerlines and a Router, PSV-2016-0121
11/15/2017 Security Advisory for Stored Cross Site Scripting on Routers, PSV-2016-0100
11/15/2017 Security Advisory for Authentication Bypass on Some Routers and Extenders, PSV-2017-0424

ZyXEL routers being attacked

Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323
by Li Fengpei of Qihoo 360 Netlab   November 24, 2017
A new variant of the Mirai botnet has been detected, mostly in Argentina. It attacks ports 23 and 2323 on ZyXEL devices that have a default userid/password. This, gets the bad guys into the devices, then a second vulnerability (CVE-2016-10401), a hard coded superuser password, gives them root privileges. Game over. On ZyXEL PK5001Z devices, zyad5001 is the superuser password. Almost 100,000 infected devices were detected in Argentina, specifically in the network of Telefonica de Argentina. Obviously, they shipped devices with default passwords. Re-booting an infected device should remove any malware.

TP-Link firmware lags in Europe

TP-Link serves outdated or no firmware at all on 30% of its European websites
by Daniel Aleksandersen on his personal blog November 20, 2017
TP-Link has 60 country-specific websites around the world, 24 in Europe. Aleksandersen bought a TP-Link RE650 repeater and noticed that his Norway TP-Link website was two firmware releases behind the neighboring countries of Denmark and Sweden. So, he looked at how each of the 24 European websites ranked in terms of available firmware releases. He investigated nine TP-Link products sold in Europe, and checked the available firmware in each website, a total of 216 data points. Only 6 countries had the latest firmware versions available for all nine products. Put another way, there are problems on 75% of TP-Links European websites. He found the most recent European firmware was as much as a year out of date compared to the US firmware. And, there does not seem to be a good reason for this. The changelogs for the newer American firmware showed updates that were not region specific in any way.
Adding insult to injury is the firmware update process. None of the TP-Link devices self-update. Worse still, the company does not contact their customers to tell them of newly released bug fixes. There are no emailing lists or syndication feeds. Nuttin.
Aleksandersen wonders why TP-Link even has 24 websites. He says there is no need for country specific firmware for Wi-Fi networking equipment within the EEA-single-market. He found that ASUS, Linksys, Netgear, and others have a single global firmware download; or two-three regional variants at the most, all being offered on the same download page.
Finally, he writes "We're a month in to the KRACK Attack vulnerability disclosure, and TP-Link hasn't yet released updates for any of their products ... Stay well away from TP-Link products if you're any bit conscious about the security of your devices." As I say, avoid all consumer routers.

ISP in Ireland has to replace modems. Good for Ireland. Would never happen in US

Eir forced to replace 20,000 modems over security concerns
by Pater Hamilton of Irish Times   November 6, 2017
Last year, Eir contacted about 130,000 of its customers as a result of security concerns that the customers routers were vulnerable to infection by a virus that could ultimately lead to them being hacked. At that time, the company said nearly 2,000 customer routers had been breached. Following an investigation by the Data Protection Commissioner, the company had to replace almost 20,000 modems for customers with basic broadband packages without access to fibre services. Additionally, Eir agreed to ... ensure that modem devices provided appropriate security during their lifetime.


A classic case of Good News, Bad News

NETGEAR Security Advisories   from Netgear
On Oct 24, 2017 Netgear issued three security advisories for their routers. On Oct. 25th, they issued 8 more security advisories for routers. On Oct. 27th they issued two more router security advisories. The good news is that they are being informed of these bugs and fixing them. In early 2017 Netgear changed how they deal with bug reports from outside the company. The bad news is that their routers are buggy as heck. Does the good outweigh the bad? Matter of opinion.


Key Reinstallation Attacks
by Mathy Vanhoef of imec-DistriNet, KU Leuven   October 16, 2017
WPA2 was considered secure for a dozen years. Then, on October 16, 2017 details of the KRACK flaw were released showing that bad guys could break WPA2 encryption. For the most part the bug is with clients rather than routers. That said, its complicated, there are 10 different KRACK related bugs. Two involve routers. One comes into play when a client switches between access points that are part of the same network. The other involves routers acting as clients. For my favorite router, the Pepwave Surf SOHO, this means its WiFi as WAN feature is vulnerable. Network extenders should also be vulnerable. KRACK has nothing to do with Wi-Fi passwords. Many articles said KRACK lets bad guys steal your passwords, that is fear mongering as almost all passwords are encrypted with TLS/HTTPS. And a VPN or TOR can offer yet another level of encryption. Yet another reason not to use an Apple router, they said nothing about this.

Not news: old D-Link routers are buggy

D-Link DIR-600/300 Router Unauthenticated Remote Command Execution Vulnerability
by Check Point   October 19, 2017
A remote code execution vulnerability exists in the D-Link DIR-600 and DIR-300 routers. A remote attacker can exploit this weakness to execute arbitrary code in the affected router. The DIR-600 is an old Wi-Fi N router.

Netgear updates pretty much everything

Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices
by Tom Spring of Kaspersky ThreatPost   October 2, 2017
Netgear issued 50 patches for its routers, switches, NAS devices, and wireless access points to resolve vulnerabilities ranging from remote code execution bugs to authentication bypass flaws. Twenty of the patches address "high" vulnerability issues with the remaining 30 scored as "medium" security risks. One of those vulnerabilities (PSV-2017-1209) is a command injection bug tied to 17 consumer routers.

7 Security Bugs in dnsmasq

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities
by Google Security   October 2, 2017
Dnsmasq is open source DNS and DHCP software and is commonly installed on routers, Linux and Android. The most severe of the 7 bugs could be remotely exploited to run malicious code and hijack the device. Three bugs are potential remote code executions, one is an information leak, and the remaining 3 are denial of service flaws. Trend Micro has identified around 1 million devices that are running a vulnerable version of dnsmasq and expose port 53 (DNS) on the public internet.The latest version of Dnsmasq, v2.78 has fixes for all the bugs.


Netgear routers attacked by abusing old bug

RouteX Malware Uses Netgear Routers for Credential Stuffing Attacks
by Catalin Cimpanu of   September 13, 2017
Quoting: "A Russian-speaking hacker has been infecting Netgear routers over the past months with a new strain of malware named RouteX that he uses to turn infected devices into SOCKS proxies and carry out credential stuffing attacks. According to Forkbombus Labs ... the hacker is using CVE-2016-10176, a vulnerability disclosed last December to take over Netgear WNR2000 routers." The bug lets the bad guy run the RouteX malware on Netgear routers that have not been patched. The malware defends itself by modifying the firewall of infected routers. This is the reason not to re-use passwords. Credential stuffing is the name given to the process of trying one stolen userid/password at multiple websites/services. To avoid being detected, bad guys spread out their credential stuffing so that it is performed from many different locations, none tied to them. Possibly from your Netgear router. The SOCKS proxy server serves as a middleman that reroutes data between the bad guy and his intended targets. How can you tell if your Netgear router is infected? No one said. It can't hurt to check for new firmware on all Netgear routers. If manual checking is too much, some routers self-update (see my list). Among the cheaper options, a single Google Wifi hockey puck router can be had for about $120. A single AmpliFi square router is about $130. A single eero costs about $200 and the Synology RT1900ac is around $120.

Three more D-Link router flaws

Enlarge your botnet with: top D-Link routers
by security firm Embedi   September 12, 2017
Embedi found three flaws in the D-Link DIR890L, DIR885L, DIR895L and, most likely, other DIR8xx routers. Four months after first contacting D-Link, two of the flaws have not been patched. The one that was patched, was only fixed in the DIR890L, other models are still vulnerable. The good news here is that exploitation is LAN side and anyone following my advice on securing local access to a router and assigning IP addresses is protected. BUG1: In the router, phpcgi processes its internal web interface web pages. A malicious request, sent to http://, can bypass the normal authorization checks and execute a script that returns the userid/password of the router. BUG2: There have been many bugs over the years involving HNAP, this is yet another. A malicious request sent to http:// can cause a stack overflow that allows for the execution of shell commands with root privileges. BUG3: There is a window of opportunity just after the router starts up, where a device connected to an Ethernet LAN port can upload new firmware onto the router. This begs the question of why firmware is not digitally signed. If it was, the new firmware would be rejected. One way to restart the router (in addition to the other two bugs) is to send an EXEC REBOOT SYSTEM command to port 19541. No password needed. This port is open on the LAN side and there does not seem to be a way to close it. According to Victor Gevers, there are over 98,000 vulnerable D-Link routers (including the 10 flaws in the 850L). The blog posting includes ugly details of Embedi trying to get D-Link to fix things. When combined with the below D-Link router flaws, reported just a few days earlier, I am left thinking that a qualified person could find flaws in any D-Link router.

D-Link 850L router should be disconnected from Internet

Researcher Publishes Details on Unpatched D-Link Router Flaws
by Catalin Cimpanu of Bleeping Computer   September 9, 2017
Pierre Kim, who has found many router flaws in the past, published the details of TEN vulnerabilities he discovered in the D-Link DIR 850L router. The 850L is a wireless AC1200 Dual Band Gigabit "Cloud" Router. He also found flaws in the Mydlink Cloud Service, which lets you remotely access and control D-Link devices on your home network. Kim published his findings without notifying D-Link first. Back in February they ignored his previous attempts at reporting other flaws. The flaws can be exploited from both the LAN and WAN side of the router. Bad guys can make the router sing and dance. More specifically, they can intercept traffic, upload malicious firmware and get root privileges. Kim recommends disconnecting any DIR 850L routers.

Some AT&T Arris gateways are brutally vulnerable

by Joseph Hutchins of Nomotion   August 31, 2017
Let's be clear: this is a disgrace. Security firm Nomotion claims that AT&T U-verse modems, models NVG589 and NVG599, have brutal security flaws; five all told, that let the devices be fully and totally hacked by bad guys, including uploading new firmware. They claim there are at least 220,000 of these vulnerable devices currently in use. Articles on this refer to the devices as "modems" but that is not correct. They are gateway devices, combining modem and router features. Three of the five flaws are hard coded backdoor accounts. Another is that SSH is enabled by default on the WAN side where anyone can login as root using one of the hard coded userid/passwords. Also on the WAN side, an HTTP request to open port 49152 allows bad guys to bypass the device's firewall and open a TCP proxy connection to the device. This hack requires a predictable three-byte value followed by the MAC address. They found this port open on every single AT&T device they tested. Malpractice, I say. On the LAN side, attackers can authenticate on port 49955 to the web admin interface with the username "tech" and an empty password. The web server in the boxes is also vulnerable to a command injection flaw that lets bad guys run shell commands in the context of the web server. Its not clear if this is LAN or WAN side. Finally, someone who knows the device serial number can use a hard coded userid/password to authenticate to the device on port 61001. Here too, its not clear if the flaw is LAN or WAN side. All told, these devices are a botnet just waiting to happen.
Perhaps the most shocking thing was that Hutchins found a module in the kernel "whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic." He said the module is not being used but the code is there.
How much of the blame falls on AT&T vs. Arris is not yet clear. Hutchins did note that Arris has a history of "careless lingering of hardcoded accounts on their products."
I may have been wrong about the most shocking aspect. It is that AT&T ignored this. As of two weeks after the disclosure, they have said nothing. Seems they want to keep their customers ignorant of the problems. Arris initially said they are investigating but two weeks later, they have said nothing else.It seems that unless stories like this break out of the nerd news, companies are not sufficiently shamed to do anything. Even Equifax did something.


Netgear reports on 3 bugs in their routers

NETGEAR Security Advisory Newsletter
by Netgear August 2017
The following bugs in Netgear routers comes from the NETGEAR Security Advisory Newsletter. None of the Security Advisories offer details on the flaws. Anyone owning a Netgear router should subscribe to the newsletter, if only because none of these bugs were reported anywhere else, that I can find.

Cisco routers and switches vulnerable

Australian businesses targeted in Cisco switch and router attacks: ACSC
by Stilgherrian of ZDNet   August 16, 2017
The Australian Cyber Security Centre (ACSC) warns that Cisco routers and switches with Simple Network Management Protocol (SNMP) enabled and exposed to the internet, are vulnerable to having their configuration files extracted. The config files may contain device administrative credentials which can be used to compromise the device. Also vulnerable are switches using Cisco Smart Install (SMI) that are accessible from the internet. SMI is a feature in Cisco IOS that was intended for LAN side use and thus has no authentication. SNMP is included in my suggested list of stuff to turn off.

Flaw in some Juniper routers goes unpatched for months

Juniper issues security alert tied to routers and switches
by Tom Spring of Kaspersky Threatpost   August 10, 2017
There was a bug in the open-source GD graphics image library (libgd) that could allow a remote attacker to take control of systems running certain versions of the Junos OS. The bug existed in T Series and MX series routers along with four switch products. Juniper has issued a software fix. To me, the most interesting aspect is how long it took Juniper to fix the problem which was first made public in April 2016. Many Linux distributions quickly fixed it. The article says "Use of the flawed libgd library has stung a wide range of firms over the past year." Juniper did not publish a Security Advisory about this until July 12, 217.

JULY 2017

Netgear Router Analytics means Netgear spies on your router

Netgear Enables User Data Collection Feature on Popular Router Model
by Catalin Cimpanu of Bleeping Computer   May 22, 2017
News about this broke in May 2017, I'm late in writing it up. And, although this is not a software bug, it is a flaw nonetheless - one of corporate personality. Simply put, Netgear now spies on some of their routers. This rolled out in April 2017 with firmware for the R7000. Also in April, spying/analytics was added to the Orbi RBK40, RBR40 and RBS40 (Firmware Version In each case "data collection" is on by default, you have to login to the router to disable it. If you have a Netgear router, consider installing DD-WRT on it from the Netgear supported site.

JUNE 2017

Two bugs in an old TP-Link router

CVE-2017-9466: Why Is My Router Blinking Morse Code?
by Senrio   June 19, 2017
Senrio has discovered two flaws in the TP-Link WR841N Version 8 router. The flaws, which can only be exploited on the LAN side, allowed them to not only gain administrative access to the device but also to run malicious code on it. The flaws were reported to TP-Link in Sept. 2016 and they were initially reluctant to fix an older product that was no longer supported. However, the fix was released in Feb. 2017. There was no update to the firmware for versions 9 and 11 of the router. It is not known if other TP-Link routers suffer from similar flaws. The first flaw was in a configuration service that allows attackers to send it commands without first logging in. The second flaw was a stack overflow issue and this is what let them install and run malicious software on the router.

This is not news: the CIA targets many routers

CIA has been hacking into Wi-Fi routers for years, leaked documents show
by Zack Whittaker of ZDNet   June 15, 2017
Secret documents, dated 2012 and leaked by WikiLeaks, reveal that the CIA has been targeting and compromising routers for years in an effort to carry out clandestine surveillance. One tool, known as CherryBlossom, allows the agency to monitor a target's internet activity, redirect their browser and scan for information. The documents, which have not been verified, suggest this has been going on for years. CherryBlossom runs on 25 router models from 10 different manufacturers, and it's likely that modifications would allow the implant to run on at least 100 more routers. Among the brands are Asus, Belkin, Buffalo, Dell, Dlink, Linksys, Motorola, Netgear, Senao and US Robotics.

Multiple WiMAX routers are easily hacked

Ghosts from the past: Authentication bypass and OEM backdoors in WiMAX routers
by Stefan Viehbock of SEC Consult Vulnerability Lab   June 7, 2017
WiMAX routers that make use of a custom httpd plugin for libmtk (the MediaTek SDK library) are vulnerable to an authentication bypass that allows a remote, unauthenticated attacker to change the administrator userid and password. The vulnerable software is commit2.cgi. It accepts a variable called ADMIN_PASSWD which is the new password. The full list of vulnerable routers is not known. Vendors making vulnerable routers include GreenPacket, Huawei, MADA, ZTE and ZyXEL. In addition, Viehbock believes the routers also contain backdoor accounts. The Huawei devices will not be fixed, the company said they are too old. The firmware was developed by ZyXEL which did not respond to inquiries made by CERT. After this got publicity, they responded to Chris Brook of Kaspersky's Threatpost they are "working on a solution". Time will tell.

7 bugs in web interface of Peplink routers

Multiple Vulnerabilities in peplink balance routers
by Eric Sesterhenn of X41 D-Sec GmbH   June 5, 2017
Bugs have been reported in the web interface of Peplink Balance routers models 305, 380, 580, 710, 1350, 2500 running firmware 7.0.0. Initially it was not clear if other Balance routers were also vulnerable. They are. It was also not clear if other Peplink routers, such as the model, I recommend, the Surf SOHO are vulnerable. They are. And, it was not initially clear if the flaws are only in firmware 7.0.0 or if they also exist in the previous 6.3.3 firmware. They exist in both.
As to flaw details: (1) The worst is said to be a SQL injection attack via the bauth cookie parameter. This allows access to the SQLite session database containing user and session variables. (2) With specialized SQL queries, it is possible to retrieve usernames from the database. This doesn't strike me as a big deal because Peplink lets you change the username. So, lots of guessing needed to exploit this. (3) The CGI scripts in the admin interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. (4) Passwords are stored in cleartext (5) If the web interface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue. (6) If the web interface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in preview.cgi. (7) A logged in user can delete arbitrary files (8) If the web interface is accessible, it is possible to retrieve the router serial number without a valid login.
The report said that Peplink released updated firmware, version 7.0.1 to fix these bugs on June 5, 2017. However, on the 6th there was no mention of this firmware on the Peplink download page. In fact, there was no mention of these bugs anywhere on the Peplink site or in their forum. On the other hand, the reported timeline shows that Peplink responded quickly and fixed the bugs quickly. Running the admin interface on a non-standard port would likely have prevented abuse of these flaws. Also, devices in an isolated VLAN can be prevented from even seeing the router admin interface.
Peplink responded on June 7th in a forum posting on their website: 7.0.1 RC4 and 6.3.4 RC Addresses Security Advisory CVE-2017-8835 ~ 8840 This has links to updated firmware for all affected models. The new firmware is currently in Release Candidate status. It is expected to be upgraded to GA (Generally Available) status in a week. There are also a couple suggested work-arounds in case updating the firmware is not an immediate option.
3Gstore, a Peplink retailer that I have used a few times, sent an email to their customers about this which raised an excellent point that no one else had. There is a hidden danger to the fact that bad guys can learn the router serial number - they can register the router with Peplinks remote control service, InControl2 - if the router has not already been registered. So, 3Gstore suggests, that even if you are not using InControl 2, you should create an account and register your Peplink router for the sole purpose of preventing a bad guy from registering it. Routers registered with the InControl 2 service can be remotely controlled.

EnGenius Enshare bug has been patched

EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
by Gjoko Krstic of Zero Science Lab   June 4, 2017
With the EnGenius IoT Gigabit Routers and their mobile app you can transfer files to/from a USB hard drive attached to the router. Enshare is a USB media storage sharing application that enables local and remote access to files on a USB hard drive. EnGenius EnShare suffers from an unauthenticated command injection vulnerability. An attacker can inject and execute arbitrary code as the root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi' script. EnGenius ignored the initial report of the problem, but they fixed it roughly two weeks after it was publicly disclosed.

MAY 2017

Asus router bugs

ASUS Patches RT Router Vulnerabilities
by Michael Mimoso of Kaskpesky Threatpost   May 11, 2017
Asus recently fixed multiple bugs in 30 RT router models. Nightwatch Cybersecurity found the bugs. Some were patched in March, some just now. An attacker on the LAN side can change router settings, steal Wi-Fi passwords or get leaked system information. Malicious JavaScript can abuse a CSRF flaw to login to the router. An issue with leaking system information was not felt to be important by Asus and was not patched.

Multiple bugs in an old Cisco VPN router

Cisco drops critical security warning on VPN router, 3 high priority caveats
by Michael Cooney of Network World  MAY 3, 2017
The Cisco CVR100W VPN router is old. It only does Wi-Fi N and it does not support Gigabit Ethernet. It has a critical bug in its Universal Plug-and-Play (UPnP) software which fails to do good range checking of UPnP input data. The bug could let an unauthenticated, Layer 2-adjacent attacker execute arbitrary code as root or cause a denial of service. Cisco has released new firmware with a fix. The same router also has vulnerability in the remote management access control list feature that could allow an unauthenticated, remote attacker to bypass the remote management ACL. No fix for this second flaw seems to be available.

Bug in Cisco IOS XR routers

Cisco IOS XR Software Denial of Service Vulnerability
by Cisco   May 3, 2017
The Event Management Service daemon of Cisco IOS XR routers improperly handles gRPC requests. This could allow an unauthenticated, remote attacker to crash the router in such a manner that manual intervention is required to recover. The gRPC service is not enabled by default. Cisco has released a bug fix.

Privacy issues with Trend Micro software in Asus routers

Review: ASUSWRT router firmware
by Daniel Aleksandersen of   May 2, 2017
The stock firmware that runs Asus routers is called ASUSRWRT and it has a somewhat hidden privacy issue. If you use any of the following features, it will collect and transmit data about which websites you visit to Trend Micro: Apps/traffic Analysis, Bandwidth Monitor, Network Analyzer, Network Protection (AiProtection), Parental Controls (including time scheduling), Quality-of-Service, Web History and Network Map. This is spelled out in a EULA from Trend Micro. If the software thinks a website URL is potentially fraudulent, it sends the URL to Trend. In addition, executable files or content that is identified as potential malware is also send to Trend. Finally, email messages identified as spam or malware are sent to Trend, despite the fact that they may contain sensitive data. Quoting: "The EULA also contains language holding the router's owner responsible for notifying their friends, family, and house guests who connect to the internet through the ASUS router that any network activity may be recorded and shared with Trend Micro."

APRIL 2017

Flaw in modems using Intel's Puma 6 chipset

You can blow Intel-powered broadband modems off the 'net with a 'trivial' packet stream
by Shaun Nichols of The Register   April 27, 2017
OK, its about modems, not routers. Close enough. A modem using Intel's Puma 6 chipset can be overloaded and virtually knocked offline by a small amount of incoming data. There is no mitigation, but it does require a constant attack. When the attack stops, things return to normal. The bug has to do with exhausting an internal lookup table. Known vulnerable devices are the Arris SB6190 and the Netgear CM700. The Puma 6 chipset is also used in some ISP-branded cable modems, including some Xfinity boxes supplied by Comcast in the US and the latest Virgin Media hubs in the UK such as the Super Hub 3. Earlier articles mentioned a possible modem firmware update. However, even if a fix is issued you are at the mercy of your ISP to install it. Good luck with that.
UPDATE: The performance issues with Intels Puma 6 gigabit broadband modem chipset also affect the Puma 5 and Puma 7 family. See Intel Pumageddon: Broadband chip bug haunts Chipzilla's past, present and future by Shaun Nichols of The Register August 9, 2017.

Ten flaws in 25 Linksys routers

Linksys Smart Wi-Fi Vulnerabilities
by Tao Sauvage of IOActive   April 20, 2017
Researchers discovered ten bugs, six of which can be exploited remotely by unauthenticated attackers. The bugs exist in four models of the WRT series and 21 models of the EAxxxx Series. Two of the bugs allow remote unauthenticated attackers to crash the router. Others leak sensitive information such as the WPS pin code, the firmware version, information about devices connected to the router and other configuration settings. The most serious bug requires authentication - it lets attackers execute shell commands with root privileges. In the worst case, this lets a bad guy setup a backdoor account on the router that would not appear in the web interface and could not be removed. If remote administration is enabled, the routers are vulnerable remotely. Either way, the routers are vulnerable from the LAN side. A big problem is that these routers have a default userid/password. Just that fact alone should steer you away from these routers. On the other hand, Linksys has co-operated well with IOActive in both acknowledging the problem and fixing it. Some of the buggy routers can self-update but that feature needs to be enabled.

More abuse of TR-069

Thousands of Hacked Home Routers are Attacking WordPress Sites
by Mark Maunder of Wordfence   April 11, 2017
We have seen this story before. ISPs leave the TR-069 port, number 7547, open to the world at large rather than restricting access to themselves. Just more support for my recommendation to avoid using a router from an ISP. Wordfence reports that Shodan found over 41 million devices are listening on port 7547.

Travel routers from TP-LINK, StarTech, TripMate and TrendNet vulnerable

Travel Routers, NAS Devices Among Easily Hacked IoT Devices
by Chris Brook of Kaspersky ThreatPost   April 10, 2017
Bugs in four travel routers were disclosed by Jan Hoersch of Securai GmbH in Munich. The TP-LINK M5250 will cough up administrator credentials in response to an SMS message. A StarTech router has telnet open with a hard coded password of root that can not be changed. On the Hootoo TripMate travel router an unathenticated user can do a firmware update. The TrendNet TEW714TRU used to let an unauthenticated LAN side user inject arbitrary commands. After the flaw was reported, TrendNet revised the firmware, but the underlying bug remained. Now, however, you have to be an authenticated user to exploit it.

MARCH 2017

Ubiquiti drags their heels fixing a bug

Unpatched vulnerability puts Ubiquiti networking products at risk
by Lucian Constantin of IDG News Service March 16, 2017
As bugs go, this is chump change; only authenticated users can exploit the flaw. The bug, discovered by SEC Consult, allows authenticated users to inject arbitrary commands into the web interface. The bug has been confirmed in 4 Ubiquiti Networks devices but is believed to exist in another 38. The worst part seems to the way Ubiquiti handled the issue. They acknowledged the flaw at the end of Nov. 2016, then gave SEC Consult a hard time and eventually just went silent. After a while, SEC Consult gave up and went public. Nerds everywhere love Ubiquiti, hopefully they read about this.

Two bugs in GLi routers have been patched

LAN surfing. How to use JavaScript to Execute Arbitrary Code on Routers
by T Shiomitsu of Pentest partners Mar 13, 2017
The GLi range of routers are small and very customizable routers, predominantly for those who fancy an extra level of control over their Wi-Fi-connected devices. Two flaws were found in the GL Innovations firmware v2.24. One was an authentication bypass, the other authenticated code execution. The article has sample code for using WebRTC and JavaScript scanning to find the LAN side IP address of the router. Code is also provided to fingerprint the router. GLi has fixed the flaws in their latest firmware and they responded to the two bug reports, which were made separately, fairly quickly.

Two bugs in old D-Link routers

D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials
by Garret Wasserman of US-CERT   March 15, 2017
Despite the article title, other D-Link models may be affected by these issues too. One bug allows a remote attacker that can access the remote management login page to manipulate the POST request to access some administrator-only pages without credentials. In addition, the tools_admin.asp page discloses the administrator password in base64 encoding. D-Link has confirmed the flaws, there is no information about if or when a patch will be issued. The devices are old. The DIR-330 is a Wi-Fi G VPN Firewall with Fast Ethernet. The DIR-130 is similar but without Wi-Fi. As usual, disable remote administration if not really needed. If it is needed, restrict the allowed source IP addresses. The bugs were discovered by James Edge.

D-Link again. HNAP again.

D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability
by Joel Land of US-CERT   March 8, 2017
As bad as it gets: a remote, unauthenticated attacker can run arbitrary code as root. Yet another reason to disable remote administration. It is disabled by default on the DIR-850L device but, even then, the device can still be attacked from the LAN side. Other D-Link models may also be affected. The vulnerability is in the HNAP service. A bad guy can send a specially crafted POST request to http://routerIPaddress/HNAP1/ that causes a buffer overflow and execute arbitrary code. Beta firmware was released Feb. 17, 2017. The DIR-850L is a dual band Wi-Fi AC router. It is also affected by the November 2016 HNAP flaw in D-Link devices (see below). The bug was reported by Sergi Martinez of NCC Group.


Dealing with a hacked Netgear router

Router assimilated into the Borg, sends 3TB in 24 hours
by Chris Lee of Ars Technica   February 26, 2017
Interesting story by someone who is not a networking expert. His Netgear R6400 router was hacked. The article goes into the symptoms of the problem and the debugging steps that he took to figure out the problem. After realizing the router had been hacked, a factory reset did not fix the problem which tells me that the router was running malicious firmware. DD-WRT was not much help. In the end, the router was a paperweight.

Bugs in two TP-Link routers

Updated Firmware Due for Serious TP-Link Router Vulnerabilities
by Michael Mimoso of Kaspersky Threatpost   Feb. 13, 2017
One flaw allows for remote code execution but only after logging in to the router. Another flaw allows a bad guy to crash the TP-Link C2 and C20i routers. There are weak default credentials for the FTP server in the router. The default firewall rules are too permissive on the WAN interface. The final insult is artistic, Pierre Kim, who found the flaws, claims that three of the modules in the router firmware "are overall badly designed programs, executing tons of system() and running as root." TP-Link plans to release a new firmware in February 2017, patching all the vulnerabilities. Perhaps the worst aspect was that when Kim first contacted TP-Link by livechat he was told "there is no process to handle security problems in TP-Link routers" and the company refused to offer a point of contact for security issues. Ouch.


Netgear routers buggy, yet again

CVE-2017-5521: Bypassing Authentication on NETGEAR Routers
By Simon Kenin of Trustwave   January 30, 2017
There are two bugs in Netgear routers that leak the administrator userid and password. These are not to be confused with the two sets of bugs in Netgear routers last month. Each of these bugs can be exploited from the LAN side and, if remote administration is enabled, also from the WAN/Internet side of the router. Remote Administration should be disabled by default. Still, there are at least ten thousand vulnerable devices that are remotely accessible.The bugs were first reported to Netgear in April 2016 and, to date, all the affected routers have still not been patched. There is a work-around however, enable password recovery. This is an option in the router that requires a secret question before divulging the router password. With password recovery enabled, all is well. On some routers, you can test if it is vulnerable with
Getting patches issued was a long slog, obviously since it has taken 9 months. The first Netgear advisory listed 18 vulnerable devices. A second advisory listed an additional 25 models. As things stand now, there are 31 vulnerable models, 18 of which are patched. However, Trustwave warns that one of the models listed as not vulnerable (DGN2200v4) is, in fact, vulnerable. Ugh. Netgear now has a new procedure for handling reports about flaws in their software.

Thailand ISP ignores router flaws

Router vulnerabilities disclosed in July remain unpatched
by Michael Mimoso of Kaspersky Threatpost   January 17, 2017
The first sentence of this article is all you need to read: "Details on serious vulnerabilities in a number of routers freely distributed by a major Thai ISP were published on Monday after private disclosures made to the vendors in July went unanswered." As I say elsewhere on this site, don't use a router provided by your ISP. TrueOnline, the largest broadband company in Thailand, gives their customers three buggy routers: ZyXel P660HN-T v1, ZyXel P660HN-T v2 and Billion 5200 W-T. Multiple bugs (default admin accounts and command injection vulnerabilities) were found and disclosed by Pedro Ribeiro of Agile Information Security. Most of the vulnerabilities can be exploited remotely, some without authentication. It is likely that the same flaws exist in other ISP customized routers in other countries. A ZyXel representative told Threatpost the router models are no longer supported. Billion ignored a request for comment from Threatpost.

Feds Accuse D-Link of Failing to Properly Secure Routers and Webcams
by Chris Morran of   January 5, 2017
Federal regulators have accused D-Link of leaving its routers and webcam devices vulnerable to hackers. A lawsuit alleges that D-Link "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access." D-Link is also accused of misleading the public about the security of their devices. This is the second time the FTC has gone after insecure routers. In February 2016, they went after Asus for their insecure routers. At least Asus took their medicine, D-Link, in contrast, cried foul.

2016  top


Scam Android apps attack routers with default passwords

Switcher: Android joins the attack-the-router club
by Nikita Buchka of Kaspersky Labs   December 28, 2016
As router attacks go, this is small potatoes. Victims have to install the scam Android apps manually, they are not in the Play store. And, it only impacts TP-Link routers with default passwords. The malware, dubbed Trojan.AndroidOS.Switcher changes the DNS servers in the router, something that can be detected, even though the author of this report fails to point this out (see the Tests page). Its only newsworthy as the first Android apps to attack routers. Still, it has infected 1,280 Wi-Fi networks in China.

Flaws in three ZyXEL routers are not being fixed

ZyXEL and Netgear Fail to Patch Seven Security Flaws Affecting Their Routers
by Catalin Cimpanu of   December 26, 2016
SecuriTeam documented four security flaws affecting three routers manufactured by ZyXEL. Don't think you have a ZyXEL router? Look again, many companies put their own label on ZyXEL hardware. TrueOnline, a major ISP in Thailand providies ZyXEL routers to customers as do other ISPs. The known bad models are the P660HN-T v1, P660HN-T v2, and Billion 5200W-T. The routers are vulnerable to command injection on their web interface, which can be exploited by an unauthenticated attackers. Bad guys can thus take control of a router by issuing maliciously-crafted HTTP requests. It's not clear if the vulnerability is on the LAN side, WAN side or both. In addition, the routers come with hard coded backdoor credentials. Ugh. ZyXEL was notified of the problems in July 2016 and chose to stonewall. Thus, there is no workaround or fix.

Bug in the NETGEAR WNR2000

Stack buffer overflow vulnerability in NETGEAR WNR2000 router
by Pedro Ribeiro of Agile Information Security   December 20, 2016
The Netgear WNR2000 router dates back to 2008. It does Wi-Fi "N" on the 2.4GHz band, period. It now sells for about $30. It has a remote code execution flaw that is exploitable over the LAN by default or over the WAN if remote administration is enabled. According to Shodan, about 10.000 of these routers have remote admin turned on. Ribeiro reverse engineered the internal uhttpd web server and found that function apply_noauth.cgi allows an unauthenticated user to perform admin functions. Some of the functions, such as rebooting the router, can be exploited straight away by an unauthenticated attacker. Other functions, such as changing Internet, WLAN settings or retrieving the administrative password, require the attacker to send a "timestamp" variable. But Ribeiro reverse engineered the timestamp generating function due to a flaw in its random number generation. Combining this flaw with some other information leakage, it is possible to recover the administrator password. A stack buffer overflow was also discovered. Bottom line: an unauthenticated attacker can take full control of the device. Ribeiro tried to contact Netgear three times (Sept 26th, Oct 28th and Nov. 29th) and never got a response. However, now that this got some coverage in the press, Netgear has responded and will fix the problems.

DNS changing attack against MANY routers

Home Routers Under Attack via Malvertising on Windows, Android Devices
by Kafeine of Proofpoint   December 13, 2016
Wow, this is bad. And made worse by being hard to detect and defend. Viewing a web page is all it takes to have a router attacked. The main goal of the malware is to change the DNS servers in the router. These server assignments normally propagate to all devices on a network. In some cases the malware also opens ports on the WAN side of the router leaving it vulnerable to other attacks. This malware was first seen 2015 when it exploited 55 known router flaws. This new improved version can exploit 166 known flaws, some of which work against several router models. If the malware can't find a known bug for a router, it tries to logon to the router with default credentials. You do not have to visit a "bad" website, "the attack chain ensnares victim networks though legitimate web sites hosting malicious advertisements unknowingly distributed via legitimate ad agencies." Which routers are vulnerable? The article says "It is not possible to provide a definitive list of affected routers." That said, some routers were pointed out for being newly vulnerable: D-Link DSL-2740R, COMTREND ADSL Router CT-5367 C01_R12, NetGear WNDR3400v3 (and likely other models in this series), Pirelli ADSL2/2+ Wireless Router P.DGA4001N and Netgear R6200. Reading through the article, it's obvious that the malware is very sophisticated. What to do? "Unfortunately, there is no simple way to protect against these attacks." In a Dec. 19th update, Proofpoint wrote "At this time, a minimum of 56,000 routers have been compromised, but we expect that number is considerably higher."

Netgear router flaw affects 11 models

CERT Warns Users to Stop Using Two Netgear Router Models Due to Security Flaw
by Catalin Cimpanu of Bleeping Computer   December 10, 2016
At least two Netgear routers, the R6400 and R7000 are vulnerable to a command injection flaw that is easy to exploit and could lead to total takeover of the routers. There has, as yet, been no response from Netgear. CERT has gone so far as to say "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available." The documentation released so far does not make it clear if the devices are vulnerable on the LAN side only, WAN side only or both.


TR-064 protocol abused in new attack

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
by Johannes Ullrich of Sans   November 28, 2016
Port 7547 is used by a remote management protocol known as either TR-069 or CWMP. It has been trouble before and I already suggest testing for it on the Tester Page. A ton of mistakes involved here. There was a TR-064 server available to the Internet at large on port 7547 which is two mistakes right there. TR-064 suffers from information disclosure issues. On some routers at least, its also buggy letting attackers run commands and totally take over the router. Finally, some routers hang when dealing with too many incoming connections which is what the malware did to spread. So even routers that were not infected, were knocked off-line. Oh, and the malare is a new variant of Mirai. According to Shodan, about 41 Million devices have port 7547 open. This attack is confirmation of my position to not use a router provided by your ISP.

Yet another HNAP bug in D-Link routers

Turn off remote admin, SOHOpeless D-Link owners
by Richard Chirgwin of The Register   November 8, 2016
Carnegie-Mellon Computer Emergency Response Team (CERT) reports a buffer overflow flaw in the HNAP service running on at least 8 D-Link routers. There is no fix from D-Link. The flaw can be exploited on the LAN side over port 80. The documentation is inconsistent as to whether it can also be exploited remotely. Known vulnerable models are the: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L and DIR-868L. However, D-Link markets these routers using alternate names such as the AC5300 Ultra Wi-Fi Router so you may need to map the external name to the internal model number. The flaw was discovered by Pedro Ribeiro of Agile Information Security back in July 2016. It's not clear why it got no publicity until Nov. 7, 2016. D-link has a long history of vulnerabilities in their implementation of the HNAP protocol. CERT initially had no practical solution to this problem. On Nov. 10th, just days after this got publicity, D-Link issued the first round of patched firmware.


Still more attacks are changing DNS servers in routers

Cybercriminals target Brazilian routers with default credentials
by ESET   October 21, 2016
Quoting: "Households and small businesses that use consumer-grade internet routers may fall victim to attacks that are currently targeting mainly Brazilian users, but may be easily localized to any other country. These attacks have been around since 2012, but the risks they carry are rising sharply ... we are closely monitoring these attacks in order to keep pace with recent developments in the attackers' techniques. It seems likely that there are different groups conducting these attacks ... The main objectives of these attacks are to change the DNS configuration, allow remote management of the router by accessing it with its public IP, and to set a predefined password - often the router's default password - for potential easy access for the perpetrators at a later time."
These attacks can be defended against by not using the default router password and not using the default router IP address. Also, check your current DNS servers using and/or

TheMoon malware version 2 adds attacks on more routers

TheMoon Botnet Still Alive and Well After Two Years
by Catalin Cimpanu   October 20, 2016
TheMoon worm was discovered in early 2014 attacking vulnerable Linksys routers. In response, Linksys issued a firmware update. In response, the bad guy added an attack on vulnerable Asus routers. Sending malicious UDP data lets a bad guy execute malware on vulnerable Asus routers. And, the malware adds firewall rules to protect an infected router from other malware. One of these rules protects D-Link routers from an HNAP SOAP flaw so it is assumed the malware also targets D-Link routers.

Two stories about routers with default passwords

At least 15% of home routers are unsecured
by Peter Stancik of ESET   October 19, 2016
ESET tested more than 12,000 home routers and found that 15% used weak passwords. It's a matter of opinion as to whether this is good or bad news. They also found, not surprisingly, that "admin" was the userid in most cases. As for bugs, they found that 7% had "vulnerabilities of high or medium severity" and that 20% had Telnet open on the LAN side.
The very same day that ESET released its report, Brian Krebs wrote about a July 2015 conversation with someone who scanned the Internet for routers using default passwords, found over 250,000 of them and uploaded "some kind software to each vulnerable system."

Bad guys frequently scan for router flaws

Home Routers - New Favorite of Cybercriminals in 2016
by Bing Liu of Fortinet   October 12, 2016
Fortinet has been monitoring the outbreak of attacks targeting home routers. More and more scans are looking for known bugs in routers from D-Link, Asus and Netis. Back in August 2014, it was revealed that Netis routers have a hard coded password backdoor. Fortinet started looking for hacking attempts against this backdoor in July and there are many of them. A vulnerability that allowed Unauthenticated Remote Command Execution was discovered in D-Link routers back in 2013. Fortinet initially found very few bad guys trying to abuse this flaw, until this past summer when the hacking attempts went way up (two million in the last 30 days). The Asus flaw is puzzling. It was disclosed in Jan. 2015 and has to do with the infosvr service listening on UDP port 9999. The bug lets an unauthenticated LAN side device execute commands in the router as the root user. What's puzzling is that the flaw was not supposed to be exploitable from the Internet. Yet, starting this past June, they saw a "surge in activity" trying to exploit it.


A D-Link router has miserable security and D-Link is slow to respond

D-Link DWR-932 B owner? Trash it, says security bug-hunter
by Richard Chirgwin of The Register   September 29, 2016
The router has more than 20 vulnerabilities. Yikes. "Following the consumer broadband industry's consistently lackadaisical attitude to security, the device suffers from everything from backdoor accounts to default credentials, leaky credentials, firmware upgrade vulns and insecure UPnP." The bugs were found by Pierre Kim, who has found other router bugs previously. The D-Link box is based on a Quanta LTE device which is the true source for some of the bugs. Five bugs are in the qmiweb webserver from Quanta. Examples: SSH and telnet are enabled by default, with two backdoor accounts (admin:admin, and root:1234). Most important points: it would be trivial to hack this router and add it to a botnet, and, D-Link blew Kim off when he tried to tell them about these problems.

IoT insecurities - stick them in an isolated network

Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON
by Lucian Constantin of IDG News Service   September 13, 2016
That IoT devices have poor security is not news. Only one of the 23 devices was a router. My take-away from this story is that IoT devices should be isolated as much as possible. We don't want a compromised device to be able to do anything to any other device. For more on this see the Guest Network topic in my description of the Pepwave Surf SOHO router.

Inteno refuses to fix their buggy routers

ABBA-solutely crapulous! Swedish router-maker won't patch gaping hole
by Iain Thomson of The Register   September 2, 2016
Harry Sintonen of F-Secure found a vulnerability in some Inteno routers that lets a bad guy install their own firmware. The routers are managed by the ISP using a protocol called both TR-069 and CWMP (CPE WAN Management Protocol). Routers using this protocol phone home to an Auto Configuration Server (ACS) operated by the ISP. While the Inteno routers do use HTTPS, they do not validate the certificate they get from the ACS server. That means a bad guy, who can man-in-the-middle the connection, can feed the router hacked firmware. Inteno could care less, they blew the whole thing off. The good news is that since the ACS server should be in the internal network of the ISP, the flaw is hard to exploit. An attacker would need a privileged position on the ISP network.

This is why Router Security matters

IoT Home Router Botnet Leveraged in Large DDoS Attack
by Daniel Cid of Sucuri   September 1, 2016
This is a blog post about a DDoS attack that Sucuri fought off for a client. The attack used three different botnets, one of them composed of routers. Sucuri detected over 11,000 compromised routers from eight different vendors. Quoting: "The largest number of routers being exploited came from Huawei-based routers. They varied between versions: HG8245H, HG658d, HG531, etc." Other routers were from MikroTik, Ubiquiti, NuCom, Dell SonicWall, VodaFone, Netgear, and Cisco-IOS.


Multiple D-Link routers have a buffer overflow processing cookies

Vulnerability Note VU#332115 D-Link routers contain buffer overflow vulnerability
by CERT   August 11, 2016
Quoting: "D-Link DIR routers contain a stack-based buffer overflow vulnerability, which may allow a remote attack to execute arbitrary code." The overflow is in a function that validates the session cookie, it did not verify the length of the cookie properly. The flaw was first reported on May 31, 2016 and the first fixes were released Aug. 11, 2016. Some of the affected routers are the DIR-850L, DIR-890L, DIR-880L, DIR-868L and the DIR-818L. The bug can be exploited both locally and remotely. The worst of this, to me, is that the router exposes port 8181 on the Internet. A router should never need to leave ports open on the WAN side.

BHU Networks router is terribly insecure

by Chris Brook of Kaspersky Threatpost   August 19, 2016
Tao Sauvage, a Security Consultant with IOActive Labs, purchased BHU WiFi router on a recent trip to China that could easily be exploited to do pretty much anything. There are three different ways to gain administrative access to the router's web interface. The router accepts any session ID cookie, which lets anyone be an authenticated user. And, he found it easy to elevate privileges from admin to root. The router is also accessible from the Internet side and it enables SSH at startup and has a hardcoded root password. What's left? It injects suspicious looking third party JavaScript into HTTP traffic. Yikes. The manufacturer, BHU Networks Technology is based in Beijing.

Another high end vendor, Ruckus, found vulnerable

Ruckus Raucous: Finding Security Flaws in Enterprise-Class Hardware
by Craig Young of Tripwire   August 3, 2016
I started this page to highlight bugs in consumer routers, yet the big boys are buggy too. At first, Young tested a Ruckus ZoneFlex. Quoting: "Within a few minutes of setting up the device, I found a command injection, which is exploitable through a forged request due to a general lack of CSRF tokens. As with many of the consumer routers I had tested, the ZoneFlex offers ... a simple ping test, with apparently no input sanitization." Consumer routers commonly have all processes running as root. Same with Ruckus. Young also found an Authentication Bypass: "All requests containing a particular string received '200 OK' responses. By creatively adding this string to other requests, I was able to get response data intended only for authenticated queries. This is a behavior I have observed in routers from NETGEAR, TrendNET and Asus." And, two other flaws: a Denial of Service and an Information Disclosure (the serial number is exposed). To me, the worst issue was that Young could not get in touch with Ruckus. This is a disgrace. My favorite router vendor, Peplink, has an online Forum where experts respond to questions and problems.

JULY 2016

120 D-Link devices may be buggy, including routers

D-Link Wi-Fi Camera Flaw Extends to 120 Products
by Michael Mimoso of Kaspersky Threatpost July 7, 2016
"A software component that exposed D-Link Wi-Fi cameras to remote attacks is also used in more than 120 other products sold by the company. Researchers at Senrio, who found the original vulnerability, disclosed today additional details of product vulnerabilities related to the component after collaborating with D-Link. Senrio said the flaw also puts D-Link Connected Home products at risk, including other cameras, routers, models and storage devices." There are no patches, yet. There are three flaws. The most severe is an unbounded/unchecked string copy that can be exploited to cause remote code execution.

TP-LINK lets domain lapse

TP-Link routers exposed to potential security flaw after domain registration lapses
by Boyd Chan Neowin   July 4, 2016
One way that hardware vendors try to make the initial configuration of a router easier is by telling users to browse to a domain name rather than an IP address. TP-LINK uses both and and they forgot to renew their ownership of Its now owned by someone outside of the company and TP-LINK has, so far, refused to buy it back. This was discovered by Amitay Dan who also claims that TP-LINK is updating their documentation. I checked the TP-LINK website and found one item that says to use either an IP address or the domain they still own ( and another item that says to use Dan claimed that TP-LINK stopped talking to him after he brought this to their attention. If true, its a rare chance to see how much a company really cares about security. I blogged about this and did some testing. It is not a security issue for owners of TP-LINK routers. They intercept requests to and direct them to the router rather than the Internet. However, it could well be a problem for everyone else. I also found another domain that TP-LINK lost control of.

JUNE 2016

Apple routers are buggy and Apple offers no details at all

Apple fixes serious flaw in AirPort wireless routers
by Lucian Constantin in PC World   June 21, 2016
Apple has released firmware updates for its AirPort routers to fix a memory corruption bug stemming from DNS data parsing. Yet again, Apple deals with security problems by saying nothing. This tells me they can't be trusted.
Quoting: "As is typical for Apple security announcements, the company did not release details about possible exploitation scenarios and did not assign a severity rating for the flaw ... What is not clear is whether the data parsing issue is in the DNS server or DNS client functionality.... If the error is in the parsing of queries received from LAN computers, it would limit the attack to the local network. Whereas, if the flaw is in the parsing of DNS responses, it could be exploited remotely... Another unknown is the privilege with which attackers would execute malicious code if this flaw is successfully exploited. If the code is executed under the root account, it could lead to a full device compromise."
It appears the bug was first known about back in September 2015. Pretty slow response. Apple routers do not self-update, installing the new firmware requires you to use either AirPort Utility 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS. This means customers may have to update the AirPort utility before they can update the router.

Don't hold your breath waiting for Cisco bug fixes

Cisco Won't Patch Critical RV Wireless Router Vulnerability Until Q3
by Michael Mimoso of Kaspersky Threatpost   June 16, 2016
The Cisco RV series of wireless VPN firewalls and routers have flaws in their web interface that allow for remote code execution. Workarounds are not available, yet Cisco plans on fixing this in the third quarter of 2016. To exploit the bug, just send the device a malicious HTTP request. If remote management is enabled, this can be exploited remotely. Effected models are the RV110W Wi-Fi VPN Firewall, RV130W Wi-Fi VPN Router and the RV215W Wi-Fi VPN Router. Not buggy enough? There are also cross-site scripting and buffer overflow bugs in the same devices.

MyD-Link devices are vulnerable

D-LINK patches weak crypto in MYD-LINK devices
by Michael Mimoso of Kaspersky Threatpost   June 14, 2016
A couple flaws were found in My-DLink devices such as the DIR-810L cloud router. Other vulnerable devices include IP Cameras and home routers. One flaw is not verifying certificates after making an SSL connection, the other is using SSL v2 and SSL v3, both of which are known to haver security flaws. The flaws were found by Firmalyzer and D-Link released updated firmware. However, I looked for DIR-810L firmware on the D-Link website and could not find anything. The articles did not link to it either.
Update: a reader emailed me to point out that updated firmware is available for the B model of DIR-810L but not for the A model (see link below). The firmware is dated June 13th and marked as BETA.

Netgear issues bug fixes

Netgear router update removes hardcoded crypto keys
by Michael Mimoso of Kaspersky Threatpost   June 11, 2016
Netgear has released firmware updates for two of its router products lines, patching vulnerabilities that were reported in January. Models D6000 and D3600 are known to be vulnerable, but other models and firmware versions could also be susceptible to the same issues. One issue is an authentication bypass vulnerability, the other is a hard-coded cryptographic key. The devices are vulnerable to attack on the LAN side and remotely, if remote management is enabled. Abusing the flaws, an attacker can gain administrator access. A remote attacker able to access the /cgi-bin/passrec.asp password recovery page may be able to view the administrator password in clear text by examining the source code of the page. Two things are required to work around the problem: the password recovery feature must be enabled and remote management must be disabled. Netgear says "The potential for password exposure remains if you do not complete both steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification .. NETGEAR is working on a firmware fix and will email the download information to all registered users when the firmware becomes available. To register your product, visit "

IPv6 Ping of Death hits Cisco and Junipter

Cisco warns IPv6 ping-of-death vuln is everyone's problem
by Shaun Nichols of The Register   June 2, 2016
Cisco devices running IOS XR, Cisco IOS, Cisco IOS XE and Cisco NX-OS software have a flaw in their processing of IPv6 Neighbor Discovery (ND) packets. Exploitation of this bug could cause high CPU usage, the suspension of processing all IPv6 traffic or the temporary loss of services for traffic that terminates on the device, in addition to IPv6 traffic. Cisco is working on fixes, but there is no timetable. Juniper has three bugs with IPv6 Neighbor Discovery processing in Junos OS.

MAY 2016

Industrial company Moxa has buggy routers

Serious Vulnerabilities Found in Moxa Industrial Secure Routers
by Eduard Kovacs of Security Week   May 19, 2016
Frankly, I had never heard of Moxa. The article calls them an "Industrial networking, computing and automation solutions provider" and says that their EDR-G903 series is an industrial router used in the United States, Europe and South America. Multiple high severity flaws, that can be exploited remotely, were discovered in January by Maxim Rupp. Configuration files store passwords in plain text. Both configuration and log files can be accessed with a specific URL by an unauthenticated attacker. A remote attacker can also cause the device to enter a DoS condition by sending it malicious requests. Patches have been issued, but they have not yet been verified to work.

Another business class company, Ubiquiti, has bugs

Worm infects unpatched Ubiquiti wireless devices
by Lucian Constantin of IDG News   May 20, 2016
Quoting: "Routers and other wireless devices made by Ubiquiti Networks have recently been infected by a worm that exploits a year-old remote unauthorized access vulnerability. The attack highlights one of the major issues with router security: the fact that the vast majority of them do not have an auto update mechanism and that their owners hardly ever update them manually." The bug has been fixed, but devices were not updated with patched firmware. The Resources page of this site lists routers that can self-update. Affected devices include the airMAX M Series, AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber. The bug was easy to exploit. The latest worm creates a backdoor account, then adds a firewall rule that blocks legitimate administrators from accessing the Web-based management interface.

26 bugs in Aruba Networks devices

Aruba fixes networking device flaws
by Lucian Constantin of IDG News Service   May 9, 2016
The interesting part of this story is that all the bugs were found by Google. The last time I was in a Google office, I noticed that they use Aruba for their Wi-Fi. The vulnerabilities affect ArubaOS, Aruba's AirWave Management Platform (AMP) and Aruba Instant (IAP). There 26 different issues range from privileged remote code execution to information disclosure, insecure updating mechanism and insecure storage of credentials and private keys. Under certain circumstances, attackers can compromise devices. There are also design flaws in an Aruba proprietary management and control protocol dubbed PAPI.

APRIL 2016

Malware changes router DNS settings

Mobile Devices Used to Execute DNS Malware Against Home Routers
by Chisato Rokumiya of Trend Micro   April 11,2016
Trend Micro discovered a JavaScript based router attack that originated in December 2015. For whatever reason the malicious code only runs from websites loaded by mobile devices. The malware targets routers from D-Link, TP-LINK, ZTE and perhaps others as the code is constantly changing. There are two infection vectors. The first is brute force, the malware tries 1,400 combinations of popular or default userids/passwords. It also targets "a specific vulnerability that currently exists in ZTE-based routers." The malware has been seen world-wide with the top countries being Taiwan, Japan, China, the United States, and France. This type of brute force attack is to be expected. It is why, on the home page of this site, changing the router password is the first suggestion. And, it is why I also suggest changing the userid used to logon to the router, when possible.

Quanta routers have every bug ever made

Multiple vulnerabilities found in Quanta LTE routers
by Pierre Kim   April 4, 2016
Quoting: "Quanta Computer Incorporated is a Taiwan-based manufacturer of electronic hardware. It is the largest manufacturer of notebook computers in the world. The Quanta LTE QDH Router device is a LTE router / access point overall badly designed with a lot of vulnerabilities. It's available in a number of countries to provide Internet with a LTE network." Some of the bugs that Kim found: Hardcoded SSH Server key, Backdoor accounts, Router DoS, WebInterface Information Leak, two remote code execution flaws, two Backdoors, two flaws with WPS, Remote Firmware Over The Air, arbitrary file browsing and reading, etc. The buggy firmware seems to be used in many routers. My favorite part was Mr. Kims opinion: "... at best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor." The company will not fix any of these bugs. As I say elsewhere on this site, avoid all consumer routers.

Arris cable modem issue

ARRIS (Motorola) SURFboard modem unauthenticated reboot flaw
by David Longenecker   April 1, 2016
In a poor design decision, the Arris SB6141 cable modem can be rebooted and reset without requiring a password. This, combined with its having a dedicated IP address means that a malicious web page can knock you off-line, for a bit. This is not a bug or a flaw, that's the way it was designed. The same flaw existed in the older SURFboard 5100 model at least as early as 2008 and it also exists in the 6121 model. Longenecker first reported the problem to Arris in January 2016 and he was ignored, until this got widely picked up in the press. When they were shamed into it, Arris changed the design. But, anyone with an effected modem is at the mercy of their ISP to install the update. It has been two months since Arris released new firmware, as I am writing this, and Time Warner has not yet rolled out the update. In fact, I was told by a Time Warner rep on the phone that its not their job to do so.

MARCH 2016

Telnet being abused by Remaiten bot

Your Linux-based home router could succumb to a new Telnet worm, Remaiten
by Lucian Constantin of IDG News Service   March 31, 2016
Remaiten is a a new worm, discovered by ESET, that infects routers and other devices by taking advantage of weak Telnet passwords. The page on this site that lists services many/most people should turn off on their routers, includes Telnet. The software, also called KTN-Remastered, connects to random IP addresses on port 23. When a Telnet server is found, the software tries to login with assorted common passwords. The bot supports a variety of denial-of-service attacks. The Test Your Router page on this site links to assorted firewall testers that can tell you if your router has exposed a Telnet server.

Netgear router password flaw

Optus cable routers let anyone change passwords, says tech
by Darren Pauli of The Register   March 17, 2016
There is a password flaw in the web interface of Netgear CG3000v2 gateways (combo router/modem/telephone adapter) provided by Australian ISP Optus. Specifically, the SetPassword.asp page, which prompts for the old and new password, ignores the old password and changes the password to the new one all the time. The flaw was discovered by Paul Szabo of the University of Sydney. When he informed both Netgear and Optus, they ignored him. Back in April 2014, this same Netgear box was the subject of another security flaw, it had both Telnet and SSH active with the same default password on every box. See Default password leaves tens of thousands of Optus cable subscribers at risk. Yet more proof not to use hardware provided by an ISP.

Modems can be buggy too

Cisco patches serious flaws in cable modems and home gateways
by Lucian Constantin of IDG News Service March 10, 2016
Quoting: "Cisco Systems has patched high-impact vulnerabilities in several of its cable modem and residential gateway devices ... The embedded Web server in the Cisco Cable Modem with Digital Voice models DPC2203 and EPC2203 contains a buffer overflow vulnerability that can be exploited remotely without authentication ... [the] Cisco DPC3941 Wireless Residential Gateway with Digital Voice and Cisco DPC3939B Wireless Residential Voice Gateway are affected by a vulnerability that could lead to information disclosure [by] an unauthenticated, remote attacker ... The Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA is affected by a separate vulnerability ... that could lead to a denial-of-service condition."


A ton of new router flaws discovered

New firmware analysis framework finds serious flaws in Netgear and D-Link devices
by Lucian Constantin of IDG News Service   Feb 29, 2016
Been there done that. Once again, a group of researchers looked at many router firmwares and found a ton of bugs. The bug hunting was done with a framework called FIRMADYNE built by Daming Chen, Maverick Woo and David Brumley from Carnegie Mellon University and Manuel Egele from Boston University. They found 887 firmware images that were vulnerable to at least one of 74 known exploits. They also found 14 previously unknown vulnerabilities in 69 firmware images used by 12 products. The Web management interface of six Netgear devices (WN604, WN802Tv2, WNAP210, WNAP320, WNDAP350 and WNDAP360) contain several pages that can be accessed without authentication and could allow attackers to pass input directly to the command line. In addition, the Netgear WN604, WNAP210, WNAP320, WND930, WNDAP350 and WNDAP360 also include Web pages that can be accessed without authentication and they expose the WPS PIN code. WPS bad. As for D-Link, the web server used in the D-Link DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2660, DAP-2690 and DAP-2695 have a buffer overflow vulnerability that can be triggered when processing a cookie. And, more. Six other devices (the D-Link DAP-1353, DAP-2553 and DAP-3520 and the Netgear WNAP320, WNDAP350 and WNDAP360) expose wireless passwords and admin credentials over SNMP. Perhaps the most important issue here is that D-Link never responded to the researchers reporting these bugs. Netgear will have fixes out by mid March.

FTC goes after ASUS routers for bad security

ASUS Settles FTC Charges That Insecure Home Routers and "Cloud" Services Put Consumers' Privacy At Risk
by the FTC   February 23, 2016
The security of ASUS routers was flawed in many ways. What seems to have brought the U.S. Government down on them were the flaws with the security of storage devices plugged into a USB port in the router. The two features are called AiCloud and AiDisk. The bugs are listed on the bugs page of this site. The password protection was easy to bypass, so much so, that good guys would leave messages for people warning that their router was easily hacked. All this while ASUS was bragging about how secure this was. Manuals suggested that users all use the same userid and password. The FTC claims that ASUS did not take reasonable steps to secure the software on their routers. Then too, the usual behavior from consumer router companies: ignoring reports of bad security for months on end and even when updated firmware is finally made available, the router incorrectly reports that there is no available update. ASUS agreed to pay a fine and to security audits every two years. In summary, more proof to my argument that all consumer routers should be avoided.

A warning about configuring Asus routers

Poor UX leads to poorly secured SoHo routers
by David Longenecker blogging at Security For Real People   Feb. 7, 2016
Asus routers with an RT in the model name suffer from a user interface design flaw. If the firewall is disabled, remote administration (which Asus calls "Web Access from WAN") is enabled, even if remote administration is specifically disabled by the user. That is, the firewall setting over-rides the remote admin setting and nothing about this is externalized to the end user. Longenecker stumbled across this by accident while checking his public IP address in Shodan. He found over 135,000 Asus wireless routers that can be logged into from the Internet. I take this as yet another reason to always change the remote admin port number, even if you have disabled remote administration.

Building router hacked

Building automation systems are so bad IBM hacked one for free
by Darren Pauli of The Register   Feb 11, 2016
Quoting: "An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security ... they found exposed administration ports ... gaining access to a D-Link panel enabled to allow remote monitoring ... by adding an extra carriage return after the page request it was possible to bypass the router's authentication. They found command injection vulnerabilities in the router and found a list of commands in the firmware source code. They found a cleartext password in the router's var directory that not only granted more router pwnage but, thanks to password-reuse, allowed them to compromise the building management system." No mention of who made the router, let alone a model number.

Two issues in Cambium Networks ePMP1000 router

CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of Feb. 5, 2016
SNMP is enabled by default and the default configuration has community strings "public" and "private" for read and write respectively. This allows a remote attacker to potentially reboot the device using the SNMP write community. There are also multiple default userids and passwords and SSH is enabled by default. Default user/pswd admin/admin is allowed unrestricted access via SSH. Three additional userid/password pairs are installer/installer (an admin), home/home (readonly) and read-only/read-only (also readonly).

Two issues in Ubiquiti AirOS and EdgeMax routers

CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of Feb. 5, 2016
Mostly quoting: All current products have the default userid/password of ubnt/ubnt and have SSH enabled by default. The ubnt user also has sudo access via sudo -s. This gives remote attackers the ability to make changes ... This is very well known to attackers, and Ubiquiti devices make for a great target as they can support SOCKS proxying, and a wide variety of malware.
Mostly quoting: When an AirOS device switches back to factory defaults, it copies the /usr/etc/system.cfg to /tmp/system.cfg; saves and then reboots. An attacker ... can thus make changes to this default configuration to maintain persistence on a device ... current versions of the EdgeMax EdgeOS store the factory default configuration as well as other configurations in /opt/vyatta/etc/. An attacker can modify these configs, thus maintaining persistence across factory resets. Also, it would very easy for a remote attacker to reset the device to defaults.

Mikrotik RouterOS default passwords

CARISIRT: Defaulting on our Passwords (pt.2): Attacker-Friendly Security
by Zachary Wikholm of Feb. 5, 2016
Mostly quoting: A long standing problem in the Mikrotik RouterOS is the default username and password. All versions including the 6.34 release have default user of "admin" with no password ... many devices are compromised within the first few hours of being put on line. During our tests, a device with the username "admin" and no password was compromised within 15 minutes and had 9 unique pieces of malware running within 20 minutes ... also allows SSH access without a password.


Default TP-LINK router password needs only 70 guesses

The Wi-Fi router with a password that takes just 70 guesses
by Paul Ducklin of Sophos   January 27, 2016
Some TP-LINK routers have unique default passwords. But the passwords require, at most, 70 guesses. Most of the password is based on the publicly advertised MAC address of the router. The remaining byte has, in theory, 256 possible values, but some detective work showed where this byte comes from and it has only 70 possible values. Not the first time something like has happened. Never use the default router password.

Another attack on the HNAP protocol

Threat Group Uses Dating Sites to Build a Botnet of Vulnerable Home Routers
by Catalin Cimpanu of Softpedia   Jan. 21, 2016
Some dating websites are spreading a worm to their visitors, infecting their routers and adding it to a botnet. The worm is a new variant of TheMoon, which was first discovered in February 2014. It takes advantage of weaknesses in the Home Network Administration Protocol (HNAP). An iframe checks to see if the router supports HNAP. If so, it calls home, informing its creators of the good news. Then a second URL delivers the worm, which is a Linux ELF binary. The worm prevents users from using some inbound ports, and opens outbound ports through which it spreads to other routers. If you take the advice offered here, you would be safe from this because it only looks for the usual suspects regarding the routers IP address.

Asus routers may never log you off

Administrator logout flaw in ASUS wireless routers
by David Longenecker blogging at Security for Real Peple   January 19, 2016
One item on my router security checklist is that a router should log you off after a certain period of time. Prior to April 2014, Asus did not offer this feature. Now they do, however, they do it wrong. Longennecker found that ASUS routers, up to and including firmware from Dec 29, 2015, rely on JavaScript in the browser to enforce the auto-logout function. This means if you close the browser window without logging off, the router will keep you logged in forever (really until the router reboots). The same holds if JavaScript is blocked in the browser. If you have an ASUS router be sure to always log yourself off. Furthering my argument to avoid consumer routers, is the fact that Longenecker first reported this to ASUS in December 2014 and they never bothered fixing it.

A hard coded SSH password found in Fortinet devices

Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears
by Dan Goodin of Ars Technica   Jan 12, 2016
The hard coded SSH password was FGTAbc11*xy+Qqz27 and it was active in 2013 and 2014. Fortinet says it is not a backdoor writing: "This issue was resolved and a patch was made available in July 2014 as part of Fortinets commitment to ensuring the quality and integrity of our codebase. This was not a 'backdoor' vulnerability issue but rather a management authentication issue." In response, the top promoted comment at Ars says: "So they're saying there was no malice, just an astounding level of incompetence in the area in which they are supposed to be experts?". Fortinet said nothing to their customers when they disabled the password in 2014. And, it appears they never removed it. Ars was told by a researcher that the password is still in the firmware.

FRITZ!Box vulnerable on the LAN side but fixes are available

FRITZ!Box home broadband routers' security FRITZed
by Richard Chirgwin of The Register   Jan. 12, 2016
FRITZ!Box routers are popular in Germany and Australia. German security company RedTeam Pentesting found that program dsl_control listens for commands on TCP port 8080 on the LAN side. They then found that with the right SOAP request the program offers up a list of the commands that it supports, and, that it will execute these commands without authorization. Come and get it, open to all. Perhaps technically, this is not remotely exploitable, but LAN side attacks can be executed from malicious web pages loaded by a LAN side device. The flaw lets a bad guy gain root access. The bug was found in Feb. 2015 but was not made public to give the vendor time to create and distribute a fix. FRITZ!Box routers can self-update and new firmware is available. All told, well handled by everyone involved.

To keep this page small, router bugs from earlier years have been omitted by default. To see them, click the buttons below.


This page was last updated: February 18, 2018 2PM CT     
Created: February 4, 2015
Viewed 346,074 times since March 2, 2015
(318/day over 1,087 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2018