If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck. Below is what I base this opinion on.

This page documents the existence of bugs in routers. Starting April 2018, I also track routers in the news which details the exploitation of router flaws.

You may be thinking that all software is buggy, but router software is probably worse. One reason for this is your ISP, which may have configured the router/gateway in an insecure way, either on purpose, to allow spying, or out of laziness or incompetence. Another reason is cost: router software is developed as cheaply as possible.

This page has bugs from 2026, 2025, 2024, 2023 and 2022. Older bugs, from 2021 through 2012, are available at the bottom of this page. To see all the bugs on one B_I_G web page (makes it easy to find all the issues for any one manufacturer) click this button ==>

2026   top

JUNE 2026

Still More Fortinet Hacks

Massive password-stealing attack hits 75k Fortinet firewalls
by Jessica Lyons of The Register   June 17, 2026
Quoting: "If you have a Fortinet firewall, it's time to stop and change your passwords. Intruders somehow gained access to around 75,000 Fortinet firewall devices and stole credentials belonging to major corporations across 194 countries, in some cases leading to full network compromise. Security researchers say that they have verified the data, and the cracked FortiGate passwords belong to accounts spanning multinational corporations including FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PxW, Accenture, Oracle and many others. " How did the bad guys get all these passwords? Not yet clear. Fortinet claims they were stolen long ago and there is no new bug. However, Kevin Beaumont says the data looks recent. We'll see. Originally discovered by security researcher Volodymyr 'Bob' Diachenko, with further analysis from Hudson Rock and cybersecurity expert Kevin Beaumont. The issue is known as FortiBleed.

• FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure from cybersecurity intelligence company Hudson Rock. June 17, 2026. This is the original research.
• All the companies whose data is known to be stolen from Hudson Rock.
• FortiBleed - 75,000 Fortinet firewalls have admin passwords cracked by Kevin Beaumont June 17, 2026. Quoting: "How did this happen? It is currently unclear. With the Belsen Group incident, a 2022 zero day was used to dump the configs, with the data published much later in 2025. With this, it is unclear how the configs were exported or devices accessed. It may be from one of the many, many known CVEs for Fortinet firewalls — or it may be a new vulnerability..." To repeat: many, many bugs in Fortinet firewalls. A word to the wise.
• CISA warns Fortinet users to secure devices after FortiBleed leak by Sergiu Gatlan for Bleeping Computer. June 19, 2026. Techies in charge of the care and feeding of Fortinet devices have a lot of homework to do: "The agency called on affected FortiGate appliance owners to terminate all SSL VPN and administrative sessions, reset all VPN and administrative passwords, enable phishing-resistant multifactor authentication, and review logs for signs of unauthorized access or lateral movement. CISA also advised Fortinet customers to store admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, and to restrict firewall management interfaces from public internet access and remove any unauthorized accounts to reduce the attack surface as much as possible."
• Risky Bulletin: The FortiBleed incident is so much worse than a simple credentials leak by Catalin Cimpanu June 24, 2026. Quoting: "FortiBleed, a massive hacking campaign that targeted Fortinet devices this year, was far more sophisticated than security researchers initially thought . . . Fortinet FortiGate firewalls, every e-crime group's favorite device . . . The attacker collected plaintext passwords from Fortinet configs, but sometime in May they also started deploying a novel script that intercepted traffic going 'through' the firewalls. The script, which researchers named FortigateSniffer, targeted 24 internet protocols. The threat actor extracted anything that looked like credentials, tokens, secrets, and authentication hashes . . . "

Still More Ubiquiti

Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis
by Jon Williams of Bishop Fox   June 5, 2026
Quoting: "Ubiquiti’s Security Advisory Bulletin 064 covers vulnerabilities across the UniFi OS device family that chain into unauthenticated remote code execution. An attacker bypasses the front-end authentication gateway to reach an internal API endpoint that runs an attacker-controlled value as a shell command, all without credentials. We confirmed the full chain end-to-end, turning a single request into a reverse shell with full root privileges. The severity comes from what the appliance controls: it is the management plane for the network it runs. Root on it, therefore, exposes every stored secret...". The article also notes that installing the bug fix(es) does not evict a bad guy who has already gotten into the system.

• Critical UniFi OS bug lets hackers gain root without authentication by Bill Toulas of Bleeping Computer. June 8, 2026. Quoting: "Attackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication. The security issues . . . have been addressed in May and impact UniFi OS Server versions 5.0.6 and earlier. While all three flaws received the maximum severity rating . . the vendor's advisory did not mention that they could be chained for remote code execution . . . According to Bishop Fox, no credentials, user interaction, or prior access are required to obtain a root shell on the target." So, as bad as bad gets.

MAY 2026

Ubiquiti yet again

Ubiquiti patches three max severity UniFi OS vulnerabilities
by Sergiu Gatlan of Bleeping Computer   May 22, 2026
Just two months ago, Ubiquiti was found vulnerable to bugs with the most severe rating possible. Now, they are back, with more maximum severity bugs. The headline is misleading, the company actually patched FIVE bugs. The last two bugs must have become public as Bleeping Computer was writing the headline for the first batch of three. Nerds like Ubiquiti, but they are wrong. They focus on shiny things. The important thing is that Ubiquiti software should not be trusted. Quoting: "Ubiquiti has yet to disclose whether any of the five vulnerabilities were exploited in the wild before disclosure, but shared that they can be exploited in low-complexity attacks ... At the moment, threat intelligence company Censys is tracking nearly 100,000 Internet-exposed UniFi OS endpoints, most of them (nearly 50,000 IP addresses) found in the United States ... Ubiquiti products have been targeted by both state-backed hacking groups and cybercriminals in recent years ..."

• Security Advisory Bulletin 064 From Ubiquiti about their FIVE bugs. May 22, 2026
• In the March 26, 2026 episode of Security Now!, Steve Gibson and Leo Laporte discussed this. Leo uses Ubiquiti and had his router self-update with all these bug fixes. They both prefer frequent self-updates, even if it bricks the router. They liked the idea that the bugs were reported via Hacker1 for bug bounties. Neither addressed the issue of miserable coding in the first place. Or, the brutal severity of these bugs. Neither considered that this was too many bugs and that trust was lost. Leo noted that trust in Ubiquiti had been lost in the past but he now trusts them. He is too kind.

SonicWall yet again

Hackers bypass SonicWall VPN MFA due to incomplete patching
by Bill Toulas of Bleeping Computer   May 20, 2026
Quoting: "SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, ... Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances ... " Generation 7 and 8 devices are fine, updating the firmware fixes everything. Generation 6 devices just went End-of-Life last month.

APRIL 2026

Still another bug in high end devices

SonicWall Urges Immediate Patching of Firewall Vulnerabilities
by Ionut Arghire of Security Week   April 30, 2026
The trend continues: serious critical bugs in hardware/software designed to protect networks. Oopsie. These bugs (note the plural) can be exploited to bypass security controls, access restricted services, and crash firewalls.

• Security Advisory: Firmware Update Required — Gen 6, Gen 7, and Gen 8 Firewalls From Sonicwall Last Updated April 29, 2026. Quoting: "These vulnerabilities require immediate firmware updates to maintain security posture. One CVE is rated high severity, and two are rated medium severity"

MARCH 2026

Really critical bug in Ubiquiti

Max severity Ubiquiti UniFi flaw may allow account takeover
by Sergiu Gatlan of Bleeping Computer   March 19, 2026
Ubiquiti has patched two bugs in their UniFi Network Application, aka the UniFi Controller. This software is used to configure and monitor Ubiquiti UniFi networking hardware. One of the bugs is a maximum-severity flaw. A 10 out of 10. In the world of security bugs, it is hard to get rated 10. The big bug lets bad guys exploit a path traversal vulnerability to access files on vulnerable devices and hijack user accounts. The bug is very simple to exploit and does not require an end user to do anything. According to Censys there are nearly 87,000 Internet-exposed UniFi Network endpoints.
Perspective: "In recent years, Ubiquiti products have been targeted by both state-backed hacking groups and cybercriminals who hijacked them to build botnets designed to conceal malicious activity. For instance, in February 2024, the FBI dismantled a botnet of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic in attacks targeting the United States and its allies."

• More perspective on recent Ubiquiti bugs: July 18, 2025. Ubiquiti UniFi Devices Vulnerability Allows Attackers to Inject Malicious Commands by Guru Baran for CyberSecurityNews.com. Quoting: "A critical security vulnerability affecting multiple Ubiquiti UniFi Access devices could allow attackers to execute malicious commands remotely. The vulnerability, tracked as CVE-2025-27212, stems from improper input validation and has been assigned a maximum CVSS v3.0 base score of 9.8, indicating a Critical Severity."
• May 25, 2026: In writing about these two bugs, Steve Gibson (of the Security Now! podcast) said: "Since Censys shows that the Internet currently has nearly 100,000 publicly exposed UniFi OS endpoints, with nearly 50,000 IP addresses located in the U.S., any known and unpatched flaws in Ubiquity devices will tend to draw bad guys' attention. This explains why Ubiquiti products have been targeted by both state-backed hacking groups and cybercriminals in recent years, in campaigns that hijacked them to build botnets that concealed the threat actors' malicious activity." So, if own a Ubiquiti product, you MUST keep up to date on bug fixes.

2025   top

NOVEMBER 2025

Lots of bugs in D-Link routers

Global Security Advisories, Responses, and Notices
by D-Link   November 24, 2025
The buggy devices include models DWR-M960, DWR-M961, DWR-M921, DWR-M920, DIR-825M and DIR-822K. Each device has multiple bugs. Each security advisory notes that the bugs are in non-US models. The status of the bugs is confusing. They are listed as "under research" and "open". However the text of the security advisories says bug fixes were released. But, the advisories do not have links to patched firmware. What a mess.

Tenda has not fixed bugs in their routers

Tenda N300 Wi-Fi 4G LTE Router 4G03 Pro impacted by vulnerabilities
by CertCC   November 20, 2025
Vulnerability Note VU#268029. Quoting: "A command injection vulnerability exists across multiple firmware versions that allows an attacker to execute arbitrary commands as root on the affected device. Currently, no solution exists to resolve these vulnerabilities in the Tenda N300 series and Tenda 4G03 Pro devices."

Asus router bug

ASUS warns of critical auth bypass flaw in DSL series routers
by Sergiu Gatlan of Bleeping Computer   November 14, 2025
Quoting: "ASUS has released new firmware to patch a critical authentication bypass security flaw impacting several DSL series router models. Tracked as CVE-2025-59367, this vulnerability allows remote, unauthenticated attackers to log into unpatched devices exposed online in low-complexity attacks that don't require user interaction." Buggy models: DSL-AC51, DSL-N16, and the DSL-AC750. The Asus security advisory does not have a unique URL, you have to go to their advisory page and look for CVE-2025-59367. The advisory includes a section with General Security Tips that is a disgrace. It says:
Do not reuse passwords across devices or services.
1. Regularly check for new firmware and security announcements.
2. Do not reuse passwords across devices or services.
3. Regularly check for new firmware and security announcements.
Proving that Asus does not read their own advisories.

OCTOBER 2025

DrayTek fixed a bug in many of their routers

Use of Uninitialized Variable Vulnerabilities
by DrayTek   October 2, 2025
DrayTek has released a security patch for many different Vigor routers models. Good: they were very up-front about the fact that the bug exists in multiple models. This differs from most consumer routers such as the bug below in a TOTOLINK router. Bad: The bug was first identified July 22, 2025. Why the two month delay in issuing this notice? The bug is CVE-2025-10547. The DayTek note about the bug is DSA-2025-005. The bug lets bad guys hijack Vigor routers using HTTP or HTTPS requests sent to the device's web management panel. No password needed.

TOTOLINK has at least one buggy router

TOTOLINK X6000R: Three New Vulnerabilities Uncovered
by Zhibin Zhang of Palo Alto Networks Unit 42   October 1, 2025
The bug is boring. Two important things here: (1) Is the bug only in the X6000R model? What about other TOTOLINK routers? None of your business (a very common answer with consumer routers). TOTOLINK responded quickly to the bug report and issued a bug fix. However, this article was published three months after the bug fix was released. Why the delay?

SEPTEMBER 2025

Still more Cisco bugs

Zero-day deja vu as another Cisco IOS bug comes under attack
by Carly Page of The Register   September 25, 2025
I have stopped writing up Cisco bugs here because there are so many of them, a point that the author of this article also raised. Quoting: "Cisco has confirmed a new IOS and IOS XE zero-day, the latest in a string of flaws that attackers have been quick to weaponize. Cisco's IOS, the networking software workhorse running across countless switches and routers, has long been a punching bag for attackers, most notably in a 2023 spree that left thousands of boxes compromised. The networking behemoth added yet another high-severity IOS flaw to the tally this week. Tracked as CVE-2025-20352, the vulnerability lives in the Simple Network Management Protocol (SNMP) subsystem . . . Alongside this fix, Cisco bundled updates for a cross-site scripting vulnerability and a denial-of-service flaw, though CVE-2025-20352 is the one that is raising the alarm bells. Given Cisco's track record of IOS zero-days being hammered in the wild, anyone leaving this one until the next maintenance window is taking a gamble they'll probably lose."

• As many as 2 million Cisco devices affected by actively exploited 0-day by Dan Goodin for Ars Technica. September 25, 2025. The bug is present in all supported versions of Cisco IOS and Cisco IOS XE. It is tracked as CVE-2025-20352. If exploited by a low-privileged attacker, the bug can create a denial-of-service. If exploited by a higher-privileged attacker, the bad guy can execute code that runs with unfettered root privileges. Game over. This bug is but 1 of 14 bugs that Cisco recently patched.

AUGUST 2025

Constant flood of Cisco bugs

Cisco's Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole
by Jessica Lyons of The Register   August 15, 2025
This bug is like many other Cisco bugs in that they share the same underlying reason: lazy programming not sanitizing inputs. Think Little Bobby Tables. Unlike other Cisco bugs this one was found by Cisco themselves. Quoting: "Cisco has issued a patch for a maximum-severity bug in its Secure Firewall Management Center (FMC) software that could allow an unauthenticated, remote attacker to inject arbitrary shell commands on vulnerable systems. The vulnerability, tracked as CVE-2025-20265, received a critical 10.0 CVSS rating. It's caused by improper handling of user input . . . This new security hole follows a series of perfect 10 out of 10 severity bugs in Cisco products this summer.
   In July, Cisco released a patch for a maximum-severity bug tracked as CVE-2025-20337 in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to run arbitrary code on the operating system with root-level privileges.
  Cisco disclosed CVE-2025-20337 in an update to a June security advisory about two other max-severity flaws in the same products. Tracked as CVE-2025-20281 and CVE-2025-20282, these also received perfect 10s and affect ISE and ISE-PIC, allowing attackers to execute code on the underlying OS as root."
Articles about the June and July bugs are below.

• Watch out, another max-severity, make-me-root Cisco bug on the loose by Jessica Lyons on The Register. July 17, 2025
  
  
• Cisco fixes two critical make-me-root bugs on Identity Services Engine components by Connor Jones of The Register. June 26, 2025

MAY 2025

SonicWall software is buggy as heck

SonicWall urges admins to patch VPN flaw exploited in attacks
by Sergiu Gatlan of Bleeping Computer   May 8, 2025
Three security bugs in the SonicWall Secure Mobile Access (SMA) appliances can be chained by attackers to gain remote code execution as root and compromise buggy devices. At this point no device should have "Secure" in its name as this has been shown to be a Trumpian level lie, over and over again. The bugs are CVE-2025-32819, CVE-2025-32820 and CVE-2025-32821. Fixes are available. Bug CVE-2025-32819 allows bad guys to delete the primary SQLite database, reset the password of the default admin user, and log in to the web interface as that admin user. It gets worse from there. Just last week, SonicWall warned customers that two other bugs are being actively exploited by bad guys.

• Multiple vulnerabilities in SonicWall SMA 100 series (FIXED) by Ryan Emmons of Rapid7. May 7, 2025. The bug was acknowledged, fixed and a patch released in the span of five days.

APRIL 2025

Asus Cloud bug

ASUS warns of critical auth bypass flaw in routers using AiCloud
by Bill Toulas of Bleeping Computer   April 18, 2025
Quoting: "ASUS is warning about an authentication bypass vulnerability in routers with AiCloud enabled that could allow remote attackers to perform unauthorized execution of functions on the device. The vulnerability, tracked under CVE-2025-2492 and rated critical (CVSS v4 score: 9.2), is remotely exploitable via a specially crafted request and requires no authentication, making it particularly dangerous ... AiCloud is a cloud-based remote access feature built into many ASUS routers..." Bug fixes are available.

• ASUS Product Security Advisories. Asus does not create a web page for each of their bugs. Instead all their bugs, for routers and their other hardware, are dumped in this one page.

MARCH 2025

Bad guys still attacking DrayTek routers

Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits
by Johannes Ullrich of SANS   March 16, 2025
Quoting: "Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities. At the time, DrayTek released firmware updates for affected routers. Forescout also noted multiple APTs targeting devices ... most of the attacks we are seeing are just searching for DrayTek routers using URLs like "/cgi-bin/mainfunction.cgi" without any arguments. These go back to the end of March of 2020. Starting in June of 2020, we see first exploit attempts for the "keyPath" vulnerability, and these attacks still flare up from time to time. The other vulnerable parameter often exploited is "cvmcfgupload". Below, I create a plot showing the prevalence of these two attacks, and a third one, which I saw again flare up yesterday. "

• Dray:Break Breaking Into DrayTek Routers Before Threat Actors Do It Again from Forescout October 2024. "... we investigated one hardware vendor, DrayTek, with a history of security flaws to help it address its issues and prevent new attacks - especially when the risk of ransomware and denial of service attacks are so high today. Learn what makes them vulnerable, the threat impact - and how to mitigate... " This page links to a 14 page PDF with details on the 14 bugs they found in DrayTek routers.

FEBRUARY 2025

Nine bugs in many DrayTek Vigor routers

Advisory: Multiple vulnerabilities affecting Draytek routers
by Faraday Security   February 25, 2025
Quoting: "Draytek, in particular, caught our attention due to its widespread use in small office/home office (SOHO) environments and its proprietary firmware format, which hinders the work of security researchers. We aimed to analyze and reverse engineer Draytek firmware to develop tools for researching and better securing these devices. Our research discovered multiple security issues, including weak authentication mechanisms, insecure kernel module updates, and persistent backdoor opportunities." The article says nothing about bug fixes from Draytek. However, a week later Draytek released two clumps of bug fixes for many different routers and thanked Faraday for their help. While this is obviously a bad look for Draytek, at least they took the time to research every router model with each bug and fix them all. You do not see this type of response from the makers of consumer routers.

• Links to updated firmware are on the DrayTek Security Advisory page

Critical Security Bugs in Netgear Routers

Netgear warns users to patch critical WiFi router vulnerabilities
by Sergiu Gatlan of Bleeping Computer   February 4, 2025
Six Netgear routers are just waiting to be hacked by bad guys. The WAX206, WAX214v2, and WAX220 are vulnerable to one critical security flaw, while three Nighthawk Pro Gaming routers (XR1000, XR1000v2, XR500) are vulnerable to a different critical security flaw. As always, you are safer without remote management that allows direct access to the router. Bug fixes are available, but these routers do not self-update, so they will remain buggy for a while. Security flaws are nothing new for Netgear. In July 2024, they had to urge customers to update to the latest firmware to patch other security flaws. And, in June 2024, security researchers disclosed six flaws of varying severity levels in the Netgear WNR614 N300, an end-of-life router popular among home users and small businesses. No doubt if they had looked at other models, they would have found more.

JANUARY 2025

Zyxel Ignores a Router Bug for 6 Months, and counting . . .

Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891)
by Glenn Thorpe of GreyNoise   January 28, 2025
Security firm VulnCheck disclosed CVE-2024-40891 on August 1, 2024. Yet, the CVE has still not been officially published by Zyxel, nor have they published an advisory. GreyNoise is observing active exploitation attempts targeting a zero-day command injection bug (CVE-2024-40891) in Zyxel devices . At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage the bug to execute commands on vulnerable devices, leading to complete system compromise, data exfiltration, or network infiltration. Censys finds over 1,500 vulnerable devices online. Exploitation of the bug has been found in a botnet. A few days later it was revealed that the buggy routers are old and have not been supported for years.

• VulnCheck Initial Access Intelligence Update - July 2024 by Patrick Garrity of VulnCheck August 1, 2024. The article details four different Zyxel bugs.
• Zyxel won’t patch newly exploited flaws in end-of-life routers by Bill Toulas for Bleeping Computer. February 4, 2025. Zyxel has issued a security advisory about actively exploited flaws in their CPE Series devices. The devices have not been supported with updates for many years.

Yet Another Security Appliance With Poor Security

Palo Alto Networks firewalls have UEFI flaws, Secure Boot bypasses
by Lucian Constantin for CSO ONline   January 23, 2025
Quoting: "Security researchers have uncovered known firmware flaws in three Palo Alto enterprise firewall devices built on commodity hardware ... [the devices] contain years-old known vulnerabilities in their UEFI firmware - a finding that provides yet more evidence of a broader issue with specialized devices today. Increasingly built on commodity hardware, specialty devices share the same UEFI vulnerabilities as general-purpose PCs and laptops, inheriting similarly slow firmware patching cycles." The article is about a just-release report from Eclypsium. They purchased 3 Palo Alto Networks security appliances and found commodity hardware under the hood. The hardware had vulnerable software, vulnerable firmware and was missing security features. Specifically, there were UEFI vulnerabilities and insecure configurations that have been known about for years. At one point, Palo Alto Networks said they were working on a fix for one of the bugs, but, they had not fixed anything. The article details a number of bugs that the three devices from Palo Alto Networks are vulnerable to.

• PANdora's Box: Vulnerabilities Found in NGFW by Jesse Michael, Mickey Shkatov and Paul Asadoorian of Eclypsium. January 23, 2025. This is the original report. They seem annoyed at the bugs they found in multiple high end security appliances. Quoting: "Security appliances, such as firewalls, VPNs, and secure web gateways, are designed to protect organizations from cyber threats. However, these assets ... are increasingly the target of attackers who exploit vulnerabilities in security appliances to gain access, evade security teams, and maintain persistence within target organizations. The issue is that security appliances, ironically, are often very poor regarding their own supply chain security and device integrity. Just as an example, we have recently discovered and/or added detections for vulnerabilities and threats in a variety of security appliances..." They cited Sophos, Cisco, F5 and Palo Alto Networks.

New Fortinet Bug is being exploited

Fortinet warns of auth bypass zero-day exploited to hijack firewalls
by Sergiu Gatlan of Bleeping Computer   January 14, 2025
Quoting: "Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks. ... Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module. Fortinet says attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices ... cybersecurity company Arctic Wolf released a report ... which says that Fortinet FortiGate firewalls with Internet-exposed management interfaces have been under attack since mid-November." And, more. "...Fortinet also released security patches for a critical hard-coded cryptographic key vulnerability (CVE-2023-37936). This vulnerability allows remote, unauthenticated attackers with the key to run unauthorized code via crafted cryptographic requests."

• Hackers are exploiting a new Fortinet firewall bug to breach company networks by Carly Page for Techcrunch. January 14, 2025. Adding some perspective: "This is the latest example of hackers exploiting a vulnerability in a popular enterprise security product designed to protect corporate networks from intruders. News of the Fortinet bug lands days after it was revealed that attackers are exploiting a separate zero-day flaw in Ivanti VPN servers that allows access to customers' networks."

Big Boy Bugs

Sure, consumer routers have their share of bugs, but they don't own the field. On January 8th, Cisco published information on three different bugs. Then, on the 13th, another bug. This, after having a High Severity bug in December 2024, three High Severity bugs in November and also a Critical flaw in November. This list goes on. On January 7th, SonicWall published an advisory about 4 different bugs.

• Cisco Security Advisories from Cisco
• SonicOS Affected By Multiple Vulnerabilities from SonicWall

2024   top

DECEMBER 2024

Bug can cripple Palo Alto routers

Hackers exploit DoS flaw to disable Palo Alto Networks firewalls
by Bill Toulas of Bleeping Computer   December 27, 2024
Quoting: "Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot. Leveraging the security issue repeatedly, however, causes the device to enter maintenance mode and manual intervention is required to restore it to normal operations." Ironically, the bug only impacts devices with a feature calldd "DNS Security logging" enabled. On the whole, bug fixes have been released. The exception is for PAN-OS version 11.0, which is too old to bother with. It went end-of-life (EOL) in the middle of November 2024, so clearly slack is not being cut here.

• PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet from Palo Alto. December 30, 2024.

Six buggy Asus routers say bad things about Asus

ASUS Router Improper Input Validation by Asus   December 3, 2024
Six Asus routers are buggy the RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX57, RT-AX58U and RT-AX58U_V2. Ho hum, but ... the bug is improper input validation - again. The context here is that just last month (Nov. 2024) Asus issued bug fixes for many of their routers, and one of the bugs they fixed was improper input validation. For example, the AX55, AX57 and AX58 all had new firmware issued just last month. It seems that Asus did a poor job fixing their bugs. Not to mention the large number of bugs they fixed in June 2024, not all that long ago. This time, there is just one bug being fixed, CVE-2024-11985. Last month, Asus danced around the issue of how many bugs they were fixing.

Zyxel bugs: pros and cons

Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders
by Zyxel   December 3, 2024
There are three bugs in Zyxel software. Yawn. The bugs affect many different types of Zyxel devices. There are fixes. Yawn. What impresses me, however, is how thorough the company was in researching these bugs. Their writeup has three long lists of vulnerable devices, one for each bug. Typically a bug is reported in one device, that device is fixed and 99 other devices that probably have the same bug are ignored. Not here. The down side, however, is getting the patched software. Zyxel says "For end-users who purchased your Zyxel device yourself, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel's Community for further assistance." They link to community.zyxel.com/en which is a generic support site with nothing specific about firmware downloads.

NOVEMBER 2024

Still more critical D-Link router bugs

D-Link tells users to trash old VPN routers over bug too dangerous to identify
by Connor Jones of The Register   November 20, 2024
This sure looks like the story below from November 13th, but no. This too is a serious remote code execution (RCE) vulnerability. Here too, the routers are too old to bother fixing and should be replaced. But this is different: "Most of the details about the bug are being kept under wraps given the potential for wide exploitation. Unauthenticated RCE issues are essentially as bad as vulnerabilities get ..." D-Link is offering 20 percent off the price of a new D-Link router. Not a good move, best to avoid D-Link. These routers are vulnerable to this bug and went EoL in May 2024: DSR-150, DSR-150N, DSR-250, DSR-250N. These routers are also vulnerable to this bug, but they went EoL 9 years ago: DSR-500N and DSR-1000N.

• DSR-150/DSR-150N/DSR-250/DSR-250N/DSR-500N/DSR-1000N: - End-of-Life / End-of-Service in North America from D-Lnk. Last updated November 26. Weasels: "When a product reaches the end of its support or lifecycle , which we have always announced in advance, further extended support, updates, or development may not be available." May not? How about definitely will not. And, how do they announce it? They don't say. Probably just a web page somewhere. They probably don't email owners of the devices. Does the router web interface warn that the product is EoL? If they did these things, they would probably say so.

Fortinet fails to fix buggy Windows VPN software

Chinese hackers exploit Fortinet VPN zero-day to steal credentials
by Bill Toulas of Bleeping Computer   November 18, 2024
There is a bug in the Fortinet Windows VPN client software that allows bad guys to steal credentials after the victim has authenticated to the VPN server. A new report from Volexity says that they discovered and reported the bug earlier this summer. Here it is November and Fortinet still has not fixed the vulnerability. Volexity says that the FortiClient software fails to clear sensitive information (username, password, VPN gateway, and port) from its memory. How Fortinet failed to fix their software for so long is really hard to imagine.

• BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA by Callum Roxan, Charlie Gardner and Paul Rascagneres of Volexity. November 15, 2024. The original report.

Palo Alto Network devices have still more bugs

CISA warns of more Palo Alto Networks bugs exploited in attacks
by Sergiu Gatlan of Bleeping Computer   November 14, 2024
Note the word "more" in the headline. These bugs are currently being exploited by bad guys. It is more of the usual: one bug lets bad guys run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. A second bug provides access to password hashes, usernames, device configurations, and device API keys) and also lets the bad guys create or read arbitrary files.

D-Link ruins the world, yet again

Today It's 60K EoL D-Link Routers That Aren't Getting Patches
by Jeremy Hellstrom of PC Perspective   November 13, 2024
Quoting: "No, It's Not A Repeat. Last Week Was 60K NAS Devices. Today in reasons to reconsider purchasing or recommending D-Link products, there are almost 60,000 D-Link DSL6740C routers that hit EoL at the beginning of this year with critical security flaws that will not be patched ... the devices were only ever sold overseas; Taiwan having the most devices ... The vulnerabilities include a 9.8 that allows an attacker to change the password of an existing account on the router, thus granting themselves as much access as they could ever want while simultaneously locking the owner out of their router. There are two more ... It is unreasonable to expect companies to support their devices forever, however with devices that can cause serious havoc across the globe we need something better than a shrug from the manufacturers."

• D-Link won't fix critical bug in 60,000 exposed EoL modems by Bill Toulas for Bleeping Computer. November 12, 2024. The article refers to the buggy device as a router in one sentence and as a modem in another sentence. From pictures, it certainly is a router. Maybe also a modem? The bugs (there are 3) are in the D-Link DSL6740C and it was discovered by security researcher Chaio-Lin Yu (Steven Meow).
• (non-US) DSL-6740C :: All H/W Revisions :: End-of-Life / End-of-Service :: CVE-2024-11068 - Unauthorized Configuration Access Vulnerability from D-Link. November 12, 2024. Some title, eh? All it says is to buy new hardware, the old thing is now a paper weight.

Security updates to most every Asus router

New firmware Update for Enhanced security
by Asus   November 4, 2024
Intro: Asus puts all their security problems on one big web page. Their routers (at least most of them) do not self-update, so the web page nags you to do the dirty work. It is also up to you to check for updates, they won't bother emailing you. The security changes are described very vaguely, nothing detailed. They say: "ASUS has released several firmware updates to enhance security" which means many of their routers are buggy. They say "Strengthened input validation and data processing workflows". No one knows what a data processing workflow is. And not validating your inputs is just lazy stupid programming. And "Improved web rendering engine, enhancing browsing experience and security." Again, weasle words looking to sound nice but most likely covering up something ugly. And "Enhanced security of system command processing to guard against potential malicious operations." No doubt, this is a biggy. There's more but you get the point - do a manual update. How many different bugs were fixed? None of your business.

OCTOBER 2024

FortiJump bug in Fortinet FortiManager

Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
by Kevin Beaumont   October 23, 2024
There is widespread exploitation of FortiNet products using a zero day and there is not even a lousy CVE (one was issued two days after this article was written). The bug has been under widespread exploitation for a while. By their clamming up, Beaumont argues that the only ones being protected is FortiGate themselves, and any governments that don't want to be embarrassed. FortiManager is a product that manages a bunch of FortiGate firewalls. The FortiManager has a Device Manager that uses FGFM to create add new devices and install policy packages and device settings. Quoting: "FortiNet made a number of errors in how this is implemented. For example, out of the box, by default, FortiManager allows any device, even with an unknown serial number, to register with FortiManager automatically and become a managed device ... Once registered, there’s a vulnerability which allows remote code execution on the FortiManager itself via the rogue FortiGate connection. From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations." Very bad. Worse is that Managed Service Providers often use FortiManager, so when they get compromised so too can all their customers get hacked. Beaumont claims that a state-sponsored group is behind the attacks on this bug. Mandiant says the bug has been exploited since June. Censys says there are over 4,000 FortiManager admin portals exposed to the Internet.

• Missing authentication in fgfmsd by FortiNet. October 25, 2024. Hey, we have a bug.

Fortinet Clams up

FortiGate admins report active exploitation 0-day. Vendor isn’t talking.
by Dan Goodin for Ars Technica   October 22, 2024
Some mistakes you just can't make. Being aware of a new critical security flaw and saying nothing to your customers, is one of those mistakes. Quoting the article:
"Fortinet, a maker of network security software, has kept a critical vulnerability under wraps for more than a week amid reports that attackers are using it to execute malicious code on servers used by sensitive customer organizations. Fortinet representatives didn’t respond to emailed questions and have yet to release any sort of public advisory detailing the vulnerability or the specific software that’s affected. The lack of transparency is consistent with previous zero-days that have been exploited against Fortinet customers. Vulnerability allowing remote code execution has been discussed since at least 9 days ago."

More Big Boys Have Bugs

CISA says critical Fortinet RCE flaw now exploited in attacks
by Sergiu Gatlan of Bleeping Computer   October 9, 2024
Bad guys have been found actively exploiting a critical FortiOS remote code execution bug. Think Little Bobby Tables and not sanitizing your input The bug lets bad guys execute commands or code on vulnerable devices in an attack that is low-complexity and does not require user interaction. Fortinet disclosed and patched this security flaw in February 2024. Yet, the US Government just got around to mandating that the fix be installed by October 30, 2024. Eight months to fix a critical bug. Why not just hang a WE USE FORTINET - HACK US poster on every government building?

• Thousands of Fortinet instances vulnerable to actively exploited flaw by Connor Jones for The Register October 14, 2024. "More than 86,000 Fortinet instances remain vulnerable to the critical flaw that attackers started exploiting last week, according to Shadowserver's data ... Carrying a CVSS v3 severity rating of 9.8, the remote code execution vulnerability is about as serious as they come." For unknown reasons, the bug has only recently caught the attention of bad guys. So, why have so many vulnerable devices not been patched in 8 months? Blame the nerds? Management? Truly miserable state of affairs.

The Big Boys Have Bugs Too

Palo Alto Networks warns of firewall hijack bugs with public exploit
by Sergiu Gatlan of Bleeping Computer   October 9, 2024
What does it say when a device purchased to increase security, is itself buggy? So buggy, that it lowers your security. There are 5 bugs, all have patches available. I can't judge 4 of the bugs, but the 5th is shameful, they put passwords in logs in clear text. Not what a security focused device should do. After installing patched software, Palo Alto users are advised to change all userids and passwords. Ugh. For context, back in April 2024, Palo Alto was seriously vulnerable - they had to release a fix for a maximum-severity zero-day bug that bad guys were found exploiting.

• PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials by Palo Alto. October 9, 2024. Severity is 9.9 out of 10.

14 (not a typo, really 14) bugs in DrayTek routers

DrayTek fixed critical flaws in over 700,000 exposed routers
by Bill Toulas of Bleeping Computer   October 2, 2024
Where do we begin? At least the bugs have been patched. The bugs exist in 24 router models, 11 of which are End-of-Life. Due to the severity of the bugs, DrayTek has made fixes available, even for the 11 non-supported models. They are not D-Link. The most severe bug has a critical rating of 10 out of 10, which is to say: brutal (really very critical). Five of the flaws are said to require immediate attention. Looking at it another way, 2 are critical severity, 9 high severity, and 3 medium severity. Most of DrayTek recommends that the web interface to their routers only be available on the LAN side. Yet, the company that found these bugs, Verdere Labs found over 704,000 DrayTek Vigor routers exposing their web interface to the internet. No mention was made of whether there is a mobile app for administering DrayTek routers. I looked at the Release Notes for some of the fixed firmwares and they said little more than "better security". That's disappointing. This article is based on a report by Vedere Labs, which seems to be a sub-sidiary of Forescout Research. A link to the report is below along with some pretty damning quotes. On the up side, they do say that DrayTek responded promptly to their bug reports.

• Dray:Break Breaking into DrayTek routers before the threat actors do it again by Forescout Research, Vedere Labs. October 2, 2024. PDF. Quotes from the report:
  • In 2024, routers are a primary target for cybercriminals and state-sponsored attackers - and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks...
  • On Sept. 18, 2024, the Federal Bureau of Investigation announced it had taken down a botnet exploiting three CVEs on DrayTek assets (CVE-2023-242290, CVE-2020-15415 and CVE-2020-8515). Note: the bugs reported here are not related to these bugs.
  • According to the National Vulnerability Database (NVD) the first reported vulnerability for DrayTek routers appeared in 2013. As shown in Table 1, there has been a significant increase in critical vulnerabilities affecting these products over the past four years, with at least 18 issues allowing for remote code or command execution.
  • These vulnerabilities were discovered by different researchers suggesting the vendor did not perform variant analysis after receiving individual vulnerability reports and producing patches. Additionally, the presence of similar issues in different parts of the functionality indicates a lack of "post-mortem" analysis by developers.
• Release Note for Vigor2765 Series
• DrayTek Security Advisories
• 14 Bugs in DrayTek Vigor Routers Disclosed: Admin Interfaces Widely Exposed Across Major ISPs [CVE-2024-41592] from Censys. October 3, 2024. Quoting: "As of this writing, Censys has identified 751,801 exposed DrayTek Vigor routers online. These devices are predominantly located in the United Kingdom, followed by Vietnam, the Netherlands, and Taiwan ... not all observed routers are necessarily vulnerable, as specific device versions were not available."

SEPTEMBER 2024

Disgraceful D-Link bugs

D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers
by Bill Toulas of Bleeping Computer   September 14, 2024
There are honest mistakes and then there are hard coded passwords which are inexcusable, disgraceful mistakes. D-Link disclosed and fixed five bugs in three of their routers: the COVR-X1870, the DIR-X4860 and the DIR-X5460. Three bugs are rated critical. To me, the worst of the five is that the Telnet service is enabled when the WAN port is active, allowing remote access with hard-coded passwords. The buggy routers are popular with consumers, especially among those looking for high-end WiFi 6 and mesh networking. It took D-Link over 3 months to fix the bugs. Seems like a long time. The article did not say if any of these bugs are the same as those in the DIR-846W (see below).

• DIR-X4860 / DIR-X5460 / COVR-X1870 :: TWCERT - TVN-202409021 / TVN-202409022 / TVN-202409023 / TVN-202409024 / TVN-202429025 Vulnerabilities reports details from D-Link. Not the most useful title, is it? September 16, 2024

Throw away the D-Link DIR-846W router

D-Link says it is not fixing four RCE flaws in DIR-846W routers
by Bill Toulas of Bleeping Computer   September 3, 2024
Yet another instance of router flaws that will not be fixed. And, not said in the article, is whether any other D-Link routers suffer from the same bugs. Chances are they do. As to the details: there are four remote code execution flaws in all versions of the D-Link DIR-846W router and the bugs will not be fixed. Three of the bugs are rated critical and do not require authentication. DIR-846W routers were sold primarily outside the U.S. The model is still sold in some markets, including Latin America.

• Announcement - SAP10411 (Non-US) DIR-846W : All H/W Revs. & All F/W Vers. : End-of-Life (EOL) / End-of-Service (EOS) : CVE-2024-41622/44340/44341/44342 Vulnerability Reports details from D-Link. Who makes their titles? September 1, 2024

Zyxel bugs

Security Advisories from Zyxel
Lots of Zyxel bugs in September. On the 3rd, they issued a security advisory for OS command injection vulnerability in APs and security router devices. Also on the 3rd, they issued a security advisory for multiple vulnerabilities in firewalls. And still on the 3rd, another security advisory for a buffer overflow bug in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices. Then, a week later, on the 10th a security advisory for an insufficient entropy bug with web authentication tokens in their GS1900 series switches. Also on the 10th, an advisory for an OS command injection bug in their NAS products.

AUGUST 2024

Critical Sonicwall bug

SonicOS Improper Access Control Vulnerability
a Security Advisory from SonicWall   August 22, 2024
Quoting: "An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and ... causing the firewall to crash." This means, in simple terms, bad guys can get in without knowing any passwords. The bug is being exploited in the wild, as of early September 2024. A patch was released at the end of August.

JULY 2024

Cisco, yet again

Vulnerability in Cisco Smart Software Manager lets attackers change any user password
by Dan Goodin of Ars Technica   July 17, 2024
The severity of the bug, tracked as CVE-2024-20419, is rated 10, out of 10. This is as rare as the Hope Diamond. The bug is due to a buggy implementation of the password-change process. Bad guys just need to send bad HTTP requests to a vulnerable device. A successful exploit allows the bad guy to access the web interface or the API with the privileges of the compromised user. There are no workarounds. Ars readers made many comments to the article.

Sonicwall accused of hiding a security bug

Sonicwall hidden security bug
by Catalin Cimpanu in the Risky Business security newsletter   July 17, 2024
Yet another example of how high end networking devices do not insure good security. Quoting from the newsletter: "Sonicwall hidden security bug: Vulnerability disclosure platform SSD has accused Sonicwall of secretly patching a major security flaw in its SMA100 security appliances. SSD says SMA100 appliances contained a vulnerability in a feature called Classic Mode that could have been abused for RCE attacks on authenticated users. The security firm claims Sonicwall removed Classic Mode from SMA100 devices last November without telling users of the possible threat. Sonicwall didn't include the removal in patch notes, didn't assign a CVE for the bug, and did not warn customers still using older firmware. SSD has now released a write-up and exploit code."

• SSD Advisory - SonicWall SMA100 Stored XSS to RCE by Noamr of SSD. July 12, 2024. "There are pre-auth stored XSS and post-auth remote command injection vulnerabilities in SonicWall SMA100. These vulnerabilities allow unauthenticated attackers to execute arbitrary command when an authenticated user is exposed to the stored XSS. The vulnerabilities were silently patched without any CVE assignment. The whole feature named Classic mode, where stored XSS vulnerability exists, was removed, and a new user input filtering code was added against command injection vulnerability."
• SMA 100 10.2.1 Release Notes by Sonicwall November 2023

JUNE 2024

Critical bug in Juniper routers

Juniper Networks flings out emergency patches for perfect 10 router vulnerability
by Connor Jones of The Register   July 1, 2024
Juniper Networks devices are high end. Very high. A critical bug in some Juniper devices forced the company to issue emergency patches last week. The bug, an authentication bypass issue (CVE-2024-2973) was rated 10 out of 10 which is very rare. The buggy devices are the Juniper Smart Session Router, their Session Smart Conductor management platform, and WAN Assurance Routers. Only devices using high-availability redundant configurations are vulnerable. This is one indication of how high end Juniper products are - they actually researched the problem and reported on which of their devices are vulnerable and which are not. Very different from consumer routers.

Bug in D-Link router illustrates much about consumer routers

Hackers exploit critical D-Link DIR-859 router flaw to steal passwords
by Bill Toulas of Bleeping Computer   June 29, 2024
The D-Link DIR-859 router is old and has been retired (End of Life or EoL) by the company. It also has a critical bug that lets bad guys get total control of the router. The points that this illustrates about consumer routers:

1. D-Link can not be shamed into offering a fix
2. Both the article and the D-Link response are about one router model. What about other D-Link models? Might they share the same bug? None of our business.
3. D-Link says nothing about contacting owners of the buggy router to tell them about the security flaw. They have your money and are done with you.
4. The bug was disclosed in January 2024, so why is this article, and the note from D-Link, appearing six months later?

 Such is the state of consumer routers, and that is the real take-away here.

• DIR-859 :: All Revisions :: All Firmware :: End-of-Life / End-of-Service :: Reported Vulnerabilities from D-Link. No date. No specifics on the bug. Buy another router.

A flood of bugs in Asus routers

High-severity vulnerabilities affect a wide range of Asus router models
by Dan Goodin of Ars Technica   June 17, 2024
Yikes. Multiple critical vulnerabilities that allow bad guys to remotely take control of many Asus router models. No authentication needed. No mistake by the router owner or users needed. One bug, (CVE-2024-3080) is an authentication bypass flaw that lets remote attackers log into a device. Routers with this bug are the Asus XT8, XT8_V2, RT-AX88U, RT-AX58U, RT-AX57, RT-AC86U, RT-AC68U. These same models also suffer from a second bug. A third bug allows remote hackers to execute commands with no user authentication. That bug affects these models: DSL-N12U_C1, DSL-N12U_D1, DSL-N14U, DSL-N14U_B1, DSL-N16, DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U, DSL-AC51/DSL-AC750, DSL-AC52U, DSL-AC55U, DSL-AC56U. There are fixes for these models. However, the same third bug is in these models which are too old and will not be fixed: DSL-N10_C1, DSL-N10_D1, DSL-N10P_C1, DSL-N12E_C1, DSL-N16P, DSL-N16U, DSL-AC52 and DSL-AC55. You might think if you owned an Asus router and registered with them, that they would tell you about critical updates like this by email. But, no. Some of these models can auto-update but there are complaints about the Asus auto updating system. Ars reader comments show some very unhappy customers who tried to install the patches. Three critical bugs. At some point, you have to wonder if maybe Asus is just not very good at this whole router thing.
Proving this theory is the article below from Bleeping Computer. It adds that ASUS has also updated Download Master, a utility that enables you to download files directly to a USB storage device connected to the router. It supports torrent, HTTP and FTP with the last two being miserably insecure. The update fixes five medium to high-severity bugs. So, that's 8 recent bugs, if you are counting.

• Latest security updates from Asus
• How to update the firmware of your router to the latest version (WebGUI) Last Update : January 30, 2024
• How to update the firmware of your router to the latest version via ASUS Router App Last update: August 7, 2023 or maybe July 8, 2023.
• ASUS warns of critical remote authentication bypass on 7 routers by Bill Toulas for Bleeping Computer. June 15, 2024

MAY 2024

TP-Link router with a HUGE bug

Security Advisory: Remote Command Execution on TP-Link Archer C5400X
by OneKey   May 27, 2024
This a huge bug, the severity was rated 10 out of 10, which is pretty rare. The router exposes a network listener on TCP ports 8888, 8889, and 8890. This listener software is vulnerable to command injection and buffer overflows. A bad guy that exploits this flaw gets total control of the router. Game over. What is not addressed by either OneKey, the company that found the bug or by TP-Link is whether this is the only router with the bug. TP-Link makes dozens of different routers. This is the typical pattern with consumer routers, a security person/company tests one model, finds a bug, the company fixes the bug in that one model and no one bothers to check any other models running similar firmware. On the page on this site about dealing with a new router, I suggest connecting it to an existing router and running nmap or another port scan product on the WAN port of the router. This would have exposed the open TCP ports. No consumer router should have any open ports out-of-the-box.

• TP-Link fixes critical RCE bug in popular C5400X gaming router by Bill Toulas for Bleeping Computer. May 27, 2024
• This is the buggy Archer C5400X router
• Statement on Remote Command Execution on Archer C5400X(CVE-2024-5035) Security Advisory from TP-Link. Last Updated May 31, 2024.
• The new firmware: Download for Archer C5400X V1.60. As if not commenting on whether any other routers have the same bug was not bad enough, TP-Link again shows their true corporate personality when they explain the change in this version of the firmware: "Enhanced system security and stability.". Their not being able to be honest about this, and fully explain how bad the bug was, is another reason to avoid their products.

APRIL 2024

None of your business

Asus Product Security Advisory
by Asus   April 12, 2024
Just like the TP-Link bugs below, this too, illustrates what is wrong with consumer routers. The Asus Product Security Advisory page shows that security related bug fixes were issued for these models: EBM68, EBR63 and RT-AX57 Go. Period. That's all it says. What was the bug? How serious is it? Is there a work-around? Were there multiple bugs? None of your [expletive deleted] business. Asus customers are not entitled to this information.

Bugs in TP-Link routers and APs

Vulnerability in some TP-Link routers could lead to factory reset
by Jonathan Munshaw of Cisco Talos   April 10, 2024
These bugs illustrate everything wrong with consumer routers. For one thing, which models are buggy? Talos can not test every TP-Link device, they test a few and find bugs. What about the others? Talos can't know and TP-Link says nothing, issuing fixes for the few tested models. Also, TP-Link says nothing about any of this on their Security Advisory page. This is quite different from the March 2024 bug in Netgear routers shown below. There, Netgear was very clear about the affected models. Talos found four bugs and told TP-Link on Dec 11, 2023. Fixes were issued April 3, 2024. Too long? Matter of opinion, judge for yourself.

MARCH 2024

Bug in 3 Netgear routers

Netgear RAX30 JSON Parsing getblockschedule() stack-based buffer overflow vulnerability
by Cisco Talos   March 7, 2024
"A stack-based buffer overflow vulnerability exists in the JSON Parsing getblockschedule() functionality of Netgear RAX30 ... A specially crafted HTTP request can lead to code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability." Discovered by Michael Gentile of Cisco Talos. Not the worst bug as the bad guy has to be on your LAN to exploit it. Netgear is clear about which models are buggy: RAX28, RAX29 and RAX30. Talos told Netgear about the bug Dec 6, 2023. Netgear issued a fix March 6, 2024.

• Security Advisory for Post-Authentication Stack Overflow on the RAX30 from Netgear. March 6, 2024.

FEBRUARY 2024

Lots of critical Fortinet bugs

Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim
by Connor Jones of The Register   February 9, 2024
TLDR: you pay for more security, you end up less secure. And, Fortinet seems like a Mickey Mouse company. There is "yet another critical security vulnerability in FortiOS". This one is CVE-24-21762 and it is rated 9.6 for severity. The bug impacts unsupported versions, of FortiOS and the company will not issue fixes for those versions, forcing customers to upgrade or switch vendors. This critical bug comes a few days after the disclosure of two other critical FortiOS bugs on February 6. The earlier disclosure "... immediately attracted our attention since it's not too often we hear about two maximum severity bugs being disclosed on the same day, impacting a major security product like FortiSIEM. However, that's what happened on Tuesday with both CVE-2024-23108 and CVE-2024-23109 appearing in the National Vulnerability Database (NVD)."
On top of the three critical bugs, the way Fortinet handled things was shameful. The Register called them "unprofessional". In regard to the first two bugs, the article says "Firstly, Fortinet backtracked and said these weren't vulnerabilities at all, instead explaining that they were issued in error and were duplicates of the single vulnerability mentioned in the aforementioned October advisory - CVE-2023-34992. Then, within hours of this, the company backtracked again saying that yes, actually, these are two new vulnerabilities - two bypasses for October's CVE-2023-34992. This came after the researcher credited with the discoveries published the email from Fortinet confirming the findings were indeed actual vulnerabilities".

2023   top

DECEMBER 2023

Ubiquiti Configuration Error

Ubiquiti blunder let some folks view others' security cameras, accounts
by Jessica Lyons of The Regiser   December 15, 2023
A Ubiquiti bug allowed some of their customers to see security camera footage from other customers and access both accounts and devices that didn't belong to them. Ubiquiti said this was due to a cloud system misconfiguration and things have been fixed.

21 Bugs in Sierra Wireless routers

Sierra: 21 vulnerabilities impact critical infrastructure routers
by Bill Toulas of Bleeping Computer   December 6, 2023
"A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks." Catch that? 21 bugs. 21. The flaws were discovered by Forescout Vedere Labs. They affect Sierra Wireless AirLink cellular routers and open-source components like TinyXML and OpenNDS. TinyXML is EoL, so no fix there. The other bugs have available fixes. One bug is considered critical, eight of them are high severity score, and a dozen were considered a medium risk. Forescout found over 86,000 AirLink routers exposed online in organizations engaged in power distribution, vehicle tracking, waste management, and national health services.

• Forescout Vedere Labs discloses 21 new vulnerabilities affecting OT/IoT routers by Forescout Vedere Labs December 5, 2023

OCTOBER 2023

Chinese hackers must love Cisco. Cisco customers, not so much

'Cisco buried the lede.' Over 10,000 network devices backdoored through unpatched zero day
by Dan Goodin for Ars Technica   October 17, 2023
Yet another Cisco shit show. Their devices are being hacked left and right. It's a new bug and there was no fix at the time this was publicly disclosed. The bug is CVE-2023-20198 and it is rated 10 out of 10, the worst possible case. The bug is relatively easy to exploit. The bug is in the Web User Interface of their IOS XE software. The number of already hacked devices came from security firm VulnCheck and they had not finished their scan when the article was written. About a week after the s... hit the fan, it was disclosed that over 40,000 Cisco devices had been hacked. The bug lets a bad guy create an admin account on the vulnerable device. Cisco released a fix on Oct 23, 2023.

• Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities by Cisco Talos. Issued Oct 16, 2023. Last updated Oct 23. Now there are two bugs.
• Widespread Cisco IOS XE Implants in the Wild by Jacob Baines of VulnCheck Oct 17, 2023
• Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature by Cisco. Issued Oct 16, 2023. Last update Oct 23. Links to the fix.
• Cisco fixes critical IOS XE bug but malware crew way ahead of them by Jessica Lyons Hardcastle for The Register. October 23, 2023

Buggy software on high end hardware

Juniper Networks Patches Over 30 Vulnerabilities in Junos OS
by Ionut Arghire of Security Week   October 13, 2023
Juniper Networks patches over 30 vulnerabilities in Junos OS and Junos OS Evolved, including nine high-severity bugs. This is bad enough, but it was only two months ago, that Juniper patched another clump of severe bugs. My writeup for those bugs is below, filed under September. They are quite the bug factory.

Cisco makes the same huge mistake over and over

Cisco Can’t Stop Using Hard-Coded Passwords
by Bruce Schneier   October 11, 2023
Quoting: "This is not the first time Cisco products have had hard-coded passwords made public. You’d think it would learn."

• Cisco Emergency Responder Static Credentials Vulnerability by Cisco October 4, 2023. Quoting: "A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development."

SEPTEMBER 2023

Patched Juniper bugs being ignored by nerds

Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all
by Jessica Lyons Hardcastle of The Register   September 18, 2023
On August 17th of this year, Juniper revealed and addressed five bugs that appear in all versions of Junos OS on SRX firewalls and EX Series switches. Then, on August 25, watchTowr published a proof of concept exploit for two of the bugs, used together, that allowed unauthenticated bad guys to get remote code execution by uploading two files. Then, on September 18th, VulnCheck CTO Jacob Baines published a report claiming that just one of the bugs, all by itself, was sufficient for remote bad guys to totally hack a buggy device. VulnCheck has also released a scanning tool to identify firewalls vulnerable to this bug. VulnCheck believes the majority of affected internet-facing firewalls (79 percent or about 15,000 devices) still are not patched. Quoting: Juniper did not respond to The Register's inquiries about the new RCE exploit, the confusing CVE descriptions, or the number of still-vulnerable devices.

• All Juniper Security Vulnerabilities. Pretty long list.
• Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution from Juniper. Article ID JSA72300. Aug 17, 2023. Updated Sept 7, 2023.

Huge security flaws in 3 Asus routers

ASUS routers vulnerable to critical remote code execution flaws
by Bill Toulas of Bleeping Computer   September 5, 2023
Lazy programming strikes again. There is no excuse for this crap other than second (or third) rate programmers. The Asus RT-AX55, RT-AX56U_V2 and RT-AC86U routers all have critical security bugs that are as bad as bad gets. These are high end models favored by gamers for their performance. The bugs are known as format string errors. That is polite talk. In simpler terms user input was not sanitized. Little Bobby Tables. The bugs can be exploited remotely and without authentication, potentially allowing remote code execution. Bug fixes have been trickling out over the last couple months.

• ASUS GAMING ROUTERS ARE GETTING GAMED; UPDATE EARLY, UPDATE OFTEN by Jeremy Hellstrom for PC Per Sept 5, 2023

JULY 2023

Mikrotik is clearly not trustworthy. Their poor security practices make a bug much worse

Super Admin elevation bug puts 900,000 MikroTik devices at risk
by Bill Toulas of Bleeping Computer of   July 25, 2023
A bug, known as CVE-2023-30799, allows bad guys with an existing admin account to elevate their privileges to "super-admin" a level that was never intended to be given to anyone. This level of access was intended for use only by certain parts of the router operating system. Although the requirement to first have an admin account sounds like a high bar to clear, the article explains that due to generally miserable security practices, it is not a very high bar. First off, the Mikrotik RouterOS system does not prevent password brute-force attacks. And, it comes with a default admin userid, as do many routers. To me, the biggest disgrace is that until October 2021 the default admin password was an empty string. Clearly Mikrotik cares nothing about security. In contrast, Peplink forces you to change the router password immediately after the default one is used the first time. And, RouterOS will accept any password, there is no such thing as too short a password. The bug was first disclosed to Mikrotik in June 2022 and they fixed it 4 months later in the stable version of RouterOS. The flaw was found by Margin Research employees, Ian Dupont and Harrison Green. However, Mikrotik did not fix the bug in the long-term version of the OS until just now (July 2023). Why the delay? According to VulnCheck, the long-term version of the OS was only fixed after they nagged Mikrotik about it. Oopsie. One estimate is that 474,000 Mikrotik routers expose their web interface to the Internet and thus are vulnerable.

• Exploiting MikroTik RouterOS Hardware with CVE-2023-30799 by Jacob Baines of VulnCheck. July 25, 2023. Even more evidence that Mikrotik is not trustworthy: when they fixed the bug in October 2022, the release notes did not indicate that a security problem was addressed.
• Securing Your Router from Mikrotik for Linux techies only.

JUNE 2023

Fortinet again

Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now
by Lawrence Abrams of Bleeping Computer   June 11, 2023
Fortinet devices are popular, making them a prime target for attacks. This bug is estimated to impact over 500,000 devices. Yikes. Fortinet is known to push out security patches prior to disclosing critical vulnerabilities to give customers time to update their devices before threat actors can reverse engineer the patches. They seem to have done so, fixes are available for an undisclosed, critical pre-authentication remote code execution vulnerability known as CVE-2023-27997 (Fortinet calls it FG-IR-23-097). The bug is a heap-based buffer overflow in FortiOS and FortiProxy SSL-VPN. It can let unauthenticated bad guys run software on the box (RCE). One article said the bug was discovered during a code audit of the SSL-VPN module following attacks against government organizations exploiting the recent FortiOS bug known as CVE-2022-42475. Another article said it was discovered by Lexfo Security researchers Charles Fol and Dany Bach.
Update: 300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug by Bill Toulas of Bleeping Computer. July 3, 2023. If you thought a critical bug in a critical device would be quickly fixed, you don't know how IT works in 2023. Security company Bishop Fox reported that more than 2 weeks after Fortinet issued their bug fix, most of their devices remain vulnerable. Specifically, Bishop Fox found 153,414 FortiGate firewall boxes had been updated and over 300,000 had not. What could be worse? They also found that many of the exposed FortiGate devices had not received an update for the past eight years. 8 [expletive] years.

• Fortinet: New FortiOS RCE bug 'may have been exploited' in attacks by Sergiu Gatlan for Bleeping Computer. June 12, 2023. I think it is safe to say that "may have been exploited" means that it was indeed exploited.
• FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication from Fortinet. June 12, 2023
• CVE-2023-27997 is Exploitable, and 69 percent of FortiGate firewalls are vulnerable by Caleb Gross of Bishop Fox. June 30, 2023

Asus fixes NINE security flaws

ASUS urges customers to patch critical router vulnerabilities
by Sergiu Gatlan of Bleeping Computer   June 19, 2023
Asus released bug fixes for nine security flaws that affect many different models. Two fixes are rated Critical and six are rated High in severity. One is still being evaluated. The vulnerable models are: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, TUF-AX5400. That the bugs effect 19 different models is an improvement, and a big one at that. Many reports about router bugs are said to only apply to a single model and I very much doubt that is ever true. Full details from Asus:
Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
Fixed DoS vulnerabilities in firewall configuration pages.
Fixed DoS vulnerabilities in httpd.
Fixed information disclosure vulnerability.
Fixed null pointer dereference vulnerabilities.
Fixed the cfg server vulnerability.
Fixed the vulnerability in the logmessage function.
Fixed Client DOM Stored XSS
Fixed HTTP response splitting vulnerability
Fixed status page HTML vulnerability.
Fixed HTTP response splitting vulnerability.
Fixed Samba related vulerabilities.
Fixed Open redirect vulnerability.
Fixed token authentication security issues.
Fixed security issues on the status page.
Enabled and supported ECDSA certificates for Let's Encrypt.
Enhanced protection for credentials.
Enhanced protection for OTA firmware updates.

MAY 2023

Still more critical Zyxel bugs

Zyxel warns of critical vulnerabilities in firewall and VPN devices
by Bill Toulas of Bleeping Computer   May 25, 2023
Quoting: "Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could leverage without authentication. Both security issues are buffer overflows and could allow denial-of-service (DoS) and remote code execution on vulnerable devices." Both bugs are rated 9.8 out of 10 which means they are really really bad. Bug fixes are available. Bugs are CVE-2023-33009 and CVE-2023-33010. A different Zyxel bug, one that had a patch released in April 2023, is being actively exploited by bad guys. That bug affects the same firewall and VPN products as these two.

• Zyxel security advisory for multiple buffer overflow vulnerabilities of firewalls from Zyxel. May 24, 2023.

Still more critical Cisco bugs

Cisco squashes critical bugs in small biz switches
by Jeff Burt of The Register   May 18, 2023
Cisco software has more critical bugs than grains of sand on a beach. This time, there are four critical security vulnerabilities in several of their switches. And, of course, Cisco did not find the bugs on their own, someone else reported them. The flaws are in the web interface and they can be used to run arbitrary code with root privileges. All the bugs have a CVSS severity rating of 9.8 out of 10. As we have many times before with Cisco, the bugs are due to improper validation of requests sent to the web interface. It's like they are not even trying. Or, their programmers are a lazy as lazy gets. Buggy devices: the 250 Series smart switches, 350 Series managed switches, 350X Series and 550X stackable managed switches. Also the Business 250 Series smart switches and Business 350 Series managed switches. The bugs are CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 and CVE-2023-20189. Another thing we have seen before with Cisco: three other buggy switches won't be fixed because they are toooooooooooooooooooo old.

• Cisco Small Business Series Switches Buffer Overflow Vulnerabilities Critical Advisory ID: cisco-sa-sg-web-multi-S9g4Nkgv. May 17, 2023

Still another Fortinet bug

A More Complete Exploit for Fortinet CVE-2022-42475
by Carl Livitt and Jon Williams of Bishop Fox   May 17, 2023
On this page is a writeup about a bug in Fortinet FortiOS software from March 2023 and another writeup about another bug from October 2022. This is yet another bug. Quoting: "Recently, there has been some buzz about remotely exploitable vulnerabilities in Fortinet security appliances, especially FortiGate firewalls. This blog focuses on one such bug: CVE-2022-42475, a remotely exploitable heap overflow in the SSL VPN component of FortiGate and FortiProxy appliances. It was discovered in the wild by Fortinet in late 2022 during an investigation into a compromised firewall. " The article is a very detailed look at the bug.

• Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd by Carl Windsor, Guillaume Lovet, Hongkei Chan, and Alex Kong of Fortinet. January 11, 2023. FYI FG-IR-22-398 is the same as CVE-2022-42475

APRIL 2023

Many Many Zyxel bugs

Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks - Patch Now
by Ravie Lakshmanan of Hacker News   April 28, 2023
Zyxel just released three security advisories to fix what looks like nine different bugs in their assorted devices. Each clump of bugs was found a different security company. The first clump is a lone critical security flaw in its firewall devices can be exploited to achieve remote code execution on buggy systems. This affects ATP, USG FLEX, VPN and ZyWALL/USG. The second clump of fixes includes a high-severity post-authentication command injection bug that affects select firewall versiions and permits an authenticated bad guy to execute OS commands remotely. The third clump of fixes includes five high-severity flaws and one medium-severity bug affecting several firewalls and APs. These bugs could result in code execution and cause a denial-of-service. You may also want to scan the rest of this page and site for more references to Zyxel.

• Zyxel security advisory for OS command injection vulnerability of firewalls CVE-2023-28771 April 25, 2023
• Zyxel security advisory for XSS vulnerability and post-authentication command injection vulnerability in firewalls CVE-2023-27990, CVE-2023-27991 April 25, 2023
• Zyxel security advisory for multiple vulnerabilities of firewalls and APs CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917 and CVE-2023-22918 April 25, 2023
• Zyxel's latest security announcements and advices for some perspective

One TP-Link router is buggy. Other models? None of your damn business

TP-Link Archer WiFi router flaw exploited by Mirai malware
by Bill Toulas of Bleeping Computer   April 25, 2023
"The Mirai malware botnet is actively exploiting a TP-Link Archer A21 (AX1800) WiFi router vulnerability tracked as CVE-2023-1389 to incorporate devices into DDoS (distributed denial of service) swarms. Researchers first abused the flaw during the Pwn2Own Toronto hacking event in December 2022, where two separate hacking teams breached the device using different pathways LAN and WAN side." This is a big time bug, a bad guy can use it to execute arbitrary code in the context of root. Like many bugs, this due the programmers being lazy and not validating user input. It seems the programmers are stupid too, the company first attempted to fix this in February, but the fix was incomplete. Personally, I do not want to use firmware written by lazy stupid people. Adding insult to injury, in their description of the fixed firmware, this is all TP-Link says: "Fixed some security issues." And, the biggest reason not to use a router from TP-Link is their other 23 models of routers. Are they buggy too? No one says. How likely is it that of the many many different router models, only this one has the bug.

• (Pwn2Own) TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability from the Zero Day Initiative April 24, 2023.

Yet another reason to use VLANs

With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi
by Thomas Claburn of The Register   April 7, 2023
Sub-heading: WPA stands for will-provide-access, if you can successfully exploit a target's setup
"A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims' data as it's sent over a wireless network." At least 55 routers. The bug is in Qualcomm and HiSilicon chips found in various wireless access points. The flaw (CVE-2022-25667) prevents the devices from blocking forged Internet Control Message Protocol (ICMP) messages. These scam messages can be abused to hijack and observe a victim's wireless connectivity. The technical pre-reqs to abuse this flaw are fairly high. A bad guy can onl intercept and snoop on the traffic of another device on the same network. The bad guy also needs to be able to directly communicate with the victim device and know the victim's IP address. In addition, the bad guy must find an open UDP port on the victim device - any open port will do. Needless to say, intercepted traffic is safer if encrypted, so HTTPS and secure DNS are great defenses. The bug seems widespread, they tested 55 products from ten vendors and all were buggy. The vulnerable devices they tested were made by: Cisco, Netgear, 360, Mercury, Xiaomi, Ruijie, H3C, Huawei, Tenda and TP-Link.

• Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects The paper that the article is based on. Many authors.

MARCH 2023

D-Link drops the ball on security

Security Bulletin by D-Link   March 2023
D-Link says "The security and performance of your D-Link devices is of utmost importance to us across all product lines." And yet, take a look at the web page where they publish Security Advisories. Nothing from 2021. Nothing from 2022. Nothing from this year either. Very suspicious. Especially since the items below show there have been security issues with D-Link routers.

• D-Link Multiple Routers lighttpd Stack-based Buffer Overflow Remote Code Execution Vulnerability by Zero Day Initiative. September 20, 2022
• The above article links to this: DIR-867 Rev A1 FW v1.30B07 / DIR-878 Rev. A1 FW v1.30B08 / DIR-882-US Rev A1 FW v1.30B08 : CVE-2022-41140 :: LAN-Side Lighttpd Unauthenticated Buffer Overflow & RCE Vulnerability from D-Link. It says D-Link was informed of a security flaw in Feb. 2022 but the fixes are still under development. As I write this, it is a year later. And the article itself is not dated.
• CVE-2023-24762 is a command injection vulnerability in D-Link DIR-867 devices. It was made public by NIST in March 2023. D-Link has been silent about it.
• Debugging D-Link: Emulating firmware and hacking hardware by Matthew Remacle of Greynoise. March 17, 2023. "D-Link was notified of CVE-2022-41140, a buffer overflow vulnerability on February 17th, 2022. By November 15th, 2022, no additional information was available..."

Netgear is having a bad stretch

NETGEAR Product Security
Reading about the March 2023 Netgear bugs sent me to the NETGEAR page where they list all their security bug fixes. Pretty big list as you can see below. Netgear issued 18 security bug fixes this month, 26 security bug fixes in December and 70 in November. Chances are, there were some non-security bugs too. I am starting to consider that perhaps Netgear is not very good at software.

3/22/2023 Security Advisory for Cleartext Transmission on Some Orbi WiFi Systems, PSV-2022-0189
3/22/2023 Security Advisory for Command Injection on Some Orbi WiFi Systems, PSV-2022-0188
3/22/2023 Security Advisory for Command Injection on Some Orbi WiFi Systems, PSV-2022-0187
3/22/2023 Security Advisory for Post-authentication Command Injection on the RBR750, PSV-2022-0186
3/15/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2022-0182
3/15/2023 Security Advisory for Authentication Bypass on Some Routers, PSV-2021-0264
3/15/2023 Security Advisory for Security Misconfiguration on Some Routers and WiFi Systems, PSV-2021-0196
3/15/2023 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2021-0182
3/15/2023 Security Advisory for Post-Authentication Command Injection on Some WiFi Systems, PSV-2021-0179
3/15/2023 Security Advisory for Pre-Authentication Command Injection on Some Router and Extenders, PSV-2021-0076
3/15/2023 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2020-0578
3/15/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers and Extenders, PSV-2020-0482
3/14/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2020-0481
3/14/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2020-0325
3/14/2023 Security Advisory for Denial of Service on Some Routers, PSV-2020-0283
3/14/2023 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0213
3/14/2023 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-2454
3/9/2023 Security Advisory for Multiple Vulnerabilities on the RAX30, PSV-2022-0352
2/14/2023 Security Advisory for Pre-Authentication Command Injection on Some Cable Modem Routers, PSV-2022-0208
12/28/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0104
12/28/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0208
12/28/2022 Security Advisory for Security Misconfiguration on Some Routers, PSV-2019-0265
12/28/2022 Security Advisory for Authentication Bypass on CAX30, PSV-2022-0196
12/28/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, Extenders, and WiFi Systems, PSV-2021-0275
12/28/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2021-0165
12/28/2022 Security Advisory for Denial of Service on Some Routers and WiFi Systems, PSV-2021-0189
12/28/2022 Security Advisory for Post-Authentication Command Injection on CAX30, PSV-2022-0194
12/28/2022 Security Advisory for Authentication Bypass on CAX30, PSV-2022-0195
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0194
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0221
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0249
12/28/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers and WiFi Systems, PSV-2020-0333
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0478
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0549
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0568
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0569
12/28/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2020-0288
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0565
12/28/2022 Security Advisory for Sensitive Information Disclosure on Some Routers and WiFi Systems, PSV-2020-0428
12/28/2022 Security Advisory for Sensitive Information Disclosure on ReadyNAS OS 6, PSV-2022-0036
12/28/2022 Security Advisory for Sensitive Information Disclosure on Insight iOS App, PSV-2022-0094
12/28/2022 Security Advisory for Sensitive Information Disclosure on Some WiFi Systems, PSV-2020-0448
12/28/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2022-0165
12/13/2022 Security Advisory for Pre-authentication Buffer Overflow on the RAX30, PSV-2022-0291
12/13/2022 Security Advisory for Multiple Vulnerabilities on the RAX30, PSV-2022-0028 & PSV-2022-0073
11/23/2022 Security Advisory for Pre-Authentication Buffer Overflow on RAX120, PSV-2022-0018
11/8/2022 Security Advisory for Denial of Service on Some Routers, PSV-2022-0001
11/8/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2019-0289
11/8/2022 Security Advisory for Security Misconfiguration on R7000, PSV-2020-0005
11/8/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2022-0096
11/8/2022 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2019-0121
11/8/2022 Security Advisory for Security Misconfiguration on R6700v3, PSV-2019-0065
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers and Extenders, PSV-2019-0145
11/8/2022 Security Advisory for Post-Authentication Command Injection on Some Routers, PSV-2022-0060
11/8/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0087
11/8/2022 Security Advisory for Denial of Service on Some Routers and Extenders, PSV-2019-0159
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2019-0156
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers and Extenders, PSV-2019-0155
11/8/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0164
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2019-0196
11/8/2022 Security Advisory for Stored Cross Site Scripting on Some Routers, PSV-2020-0016
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers, Extenders, and WiFi Systems, PSV-2020-0122
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Switches, PSV-2022-0016
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Switches, PSV-2022-0015
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0518
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2021-0315
11/7/2022 Security Advisory for Authentication Bypass on Some Routers and Extenders, PSV-2021-0316
11/7/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2022-0033
11/7/2022 Security Advisory for Post-authentication Buffer Overflow on Some Routers, PSV-2022-0156
11/7/2022 Security Advisory for Pre-authentication Buffer Overflow on Multiple Products, PSV-2022-0155
11/7/2022 Security Advisory for Pre-authentication Stack Overflow on some Routers and Nighthawk WiFi Mesh Systems, PSV-2022-0146
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers and WiFi Systems, PSV-2021-031
11/7/2022 Security Advisory for Multiple Vulnerabilities on the R7000P, PSV-2022-0144 & PSV-2022-0145
11/7/2022 Security Advisory for Pre-Authentication Command Injection on R7000, PSV-2022-0115
11/7/2022 Security Advisory for Post-Authentication Command Injection on R6260, PSV-2021-0271
11/7/2022 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2021-0346
11/7/2022 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2021-0347
11/7/2022 Security Advisory for Post-Authentication Stack Overflow on R7000, PSV-2019-0167
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0118
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2021-0304
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0345
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on R7000P, PSV-2020-0344
11/7/2022 Security Advisory for Denial of Service on SomeWiFi Systems, PSV-2020-0295
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2020-0299
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0303
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0314
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on R7000P, PSV-2020-0312
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on R7000P, PSV-2020-0310
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on R7000P, PSV-2020-0311
11/7/2022 Security Advisory for Stored Cross Site Scripting on Some Routers and WiFi Systems, PSV-2020-0209
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers, Extenders, and WiFi Systems, PSV-2020-0457
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0217
11/7/2022 Security Advisory for Stored Cross Site Scripting on EX7500, PSV-2020-0252
11/7/2022 Security Advisory for Stored Cross Site Scripting on EX7500, PSV-2020-0251
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0259
11/7/2022 Security Advisory for Denial of Service on WiFi Systems, PSV-2020-0260
11/7/2022 Security Advisory for Post-Authentication Stack Overflow on R7000P, PSV-2020-0267
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0358
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Router, PSV-2022-0012
11/7/2022 Security Advisory for Stored Cross Site Scripting on Some Routers, PSV-2020-0447
11/7/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0589
11/7/2022 Security Advisory for Missing Function Level Access Control on Some Routers, PSV-2022-0127
11/7/2022 Security Advisory for Missing Function Level Access Control on R7000, PSV-2022-0133
11/7/2022 Security Advisory for Denial of Service on Some Routers, Extenders, and WiFi Systems, PSV-2021-0153
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers and WiFi Systems, PSV-2020-0449
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2019-0186
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2019-0188
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0215
11/7/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2021-0263
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2022-0061
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers and Extenders, PSV-2019-0248
11/6/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2021-0338
11/6/2022 Security Advisory for Authentication Bypass on Some Routers and Extenders, PSV-2021-0337
11/6/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2022-0005
11/6/2022 Security Advisory for Post-Authentication Stack Overflow on XR300, PSV-2022-0140

Cisco publicizes Netgear bugs

If your Netgear Orbi router isn’t patched, you’ll want to change that pronto
by Dan Goodin of Ars Technica   March 22, 2023
The Talos security team (part of Cisco) found four bugs in Netgear routers and within the allotted 90 days Netgear fixed three of them. The remaining bug is hard to exploit. Boring. What's interesting is that two articles referred to remote bad guys exploiting the bugs yet all the descriptions talk about local attacks. So, maybe a bit of hype. Also, Netgear has a hidden Telnet service. Their first attempt to fix one of the bugs was half-assed so it had to be re-done. Bigger picture: Talos found a bug in the RBR750 and said nothing about any other Orbi models. Netgear too, said nothing about any other models. Are we supposed to believe that of the dozen or so Orbi devices only one model had this bug? Really? To me, this is a huge reason to avoid consumer routers.

• Cisco kindly reveals proof of concept attacks for flaws in rival Netgear's kit by Jessica Lyons Hardcastle of The Register. March 22, 2023
• Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution by Jonathan Munshaw of Talos. March 21, 2023

Critical bug in Fortinet devices

Fortinet: New FortiOS bug used as zero-day to attack government networks
by Sergiu Gatlan of Bleeping Computer   March 13, 2023
A new FortiOS bug (CVE-2022-41328) had a fix released on March 7th, after the bug had already been exploited in the wild. The attackers are targeting government and large organizations. The bug allowed attackers to execute unauthorized code or commands. Interestingly the attack was noticed when some Fortigate devices shut themselves down after a Firmware Integrity check failed. Some of their devices verify the integrity of system components and they automatically shut down and stop booting to block a network breach, if a compromise is detected. Just three months ago, there was another big flaw in Fortinet devices.

• Fortinet zero-day attacks linked to suspected Chinese hackers by Sergiu Gatlan of Bleeping Computer. March 16, 2023. The attackers could use the malware for cyber-espionage, including data exfiltration, downloading and writing files on compromised devices, or opening remote shells. These were highly targeted attacks against government networks and large organizations. Perhaps the worst part is that the bad guys were intimately familiar with both the FortiGate operating system and the underlying hardware.
• FortiOS - Path traversal in execute command the security advisory from Fortinet. March 7, 2023. Pretty lame as these things go. No details and very short.

FEBRUARY 2023

Aruba devices are a security disaster

Aruba Networks fixes six critical vulnerabilities in ArubaOS
by Bill Toulas of Bleeping Computer   March 1, 2023
I started listing router flaws to convince people not to use consumer grade routers. It turns out that when stepping up, at least to Aruba, the security is no better. Maybe worse. Quoting "Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system." SIX CRITICAL BUGS. Buggy devices can be totally taken over by a remote bad guy. And, all the bugs were all found by one guy. The bugs are in the Aruba Networks access point management protocol, aka the PAPI protocol. Their own protocol. It seems they are not trustworthy. Aruba has released fixes. And, more: several product versions that have reached End of Life (EoL) are also affected by these bugs and will not be patched. Adding insult to injury, the EoL products are also vulnerable to another 15 high-severity and eight medium-severity vulnerabilities. What a s**t show.

• Aruba Product Security Advisory Advisory ID: ARUBA-PSA-2023-002
• Archive of Security Advisories from Aruba

JANUARY 2023

Many Zyxel bugs

Positive Technologies helps fix vulnerabilities in routers and other Zyxel devices
by Positive Technologies February 1, 2023
Zyxel has published some fixes for 4 bugs discovered by Positive Technologies expert Nikita Abramov in several series of Wi-Fi routers. The routers work on 4G and 5G networks. The vulnerabilities affected other Zyxel network devices as well, including optical network terminals, Internet gateways, and Wi-Fi amplifiers. Among the buggy devices:
4G LTE routers: LTE3202-M437, LTE3316-M604, LTE7480-M804, LTE490-M904
5G NR routers: NR5103, NR5103E, NR7101, NR7102, NR7103
Optical network terminals (PM7320-B0 and others)
Internet gateways (EX5510-B0 and others)
Wi-Fi amplifiers (WX3100-T0 and others)
Quoting: "... many buffer overflow vulnerabilities arise from incorrect handling of memory (bad allocation or size calculation) or during the data parsing stage, and the execution of commands becomes possible if certain special characters are not filtered. Such flaws often arise from the negligence of developers or insufficient testing.". Ouch. It is not at all clear if Zyxel ever finished issuing bug fixes for all the vulnerable devices.

• Zyxel security advisory for command injection and buffer overflow vulnerabilities of CPE, fiber ONTs, and WiFi extenders. This was first released January 11, 2023 and never updated. The lack of updates matters because many devices were slated to be fixed in February and April 2023. I am writing this at the end of April and there is no indication these fixes were released. The bugs: CVE-2022-43389, CVE-2022-43390, CVE-2022-43391, CVE-2022-43392

Cisco to their customers: F... Off

Cisco warns of auth bypass bug with public exploit in EoL routers
by Sergiu Gatlan of Bleeping Computer   January 11, 2023
The routers are old, they are buggy and Cisco will not fix them. As the company has done many times before, their solution is for you to buy another router. This bug is in the web-based management interface of the Cisco Small Business RV016, RV042, RV042G, and RV082 routers. The bug is as bad as bad gets, a remote bad guy can get root access to a buggy router. At this point, I wonder if all Cisco routers are buggy. This bug has the same root cause as many of the previous Cisco bugs - improper validation of user input. The bug is CVE-2023-20025 and it was found in by Hou Liuyang of Qihoo 360 Netlab. A work-around is disable remote administration. The article mentions another similar case: that Cisco would not fix a critical flaw in the RV110W, RV130, RV130W, and RV215W EoL routers.

2022   top

DECEMBER 2022

Security flaw in Netgear routers

Netgear warns users to patch recently fixed WiFi router bug
by Sergiu Gatlan of Bleeping Computer   December 29, 2022
Quoting: "Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible." The buggy devices include the AC and AX Nighthawks. Specifically,models RAX40, RAX35, R6400v2, R6700v3, R6900P, R7000P, R7960P and R8000P. The bug is a pre-authentication buffer overflow, which means it can be exploited without knowing the router password. Neither Netgear nor the article said if it is exploitable from the LAN side, WAN side or both. The article said the bug is simple to exploit and Netgear owners are urged to update their firmware ASAP. Neither Netgear or the article said how the company learned of the flaw. I mention this because the Netgear RAX30 was hacked at the recent PWN2OWN contest (see the Router News page).

• Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0208 from Netgear. December 28, 2022

OCTOBER 2022

Even high end devices can have critical bugs

Fortinet warns admins to patch critical auth bypass bug immediately
by Sergiu Gatlan of Bleeping Computer   October 7, 2022
Fortinet has warned their customers of a critical vulnerability in the FortiGate firewalls, FortiProxy web proxies and FortiSwitch Manager (FSWM) management platforms. Bug fixes are available. The bug, CVE-2022-40684, is an authentication bypass in the administrative interface. It allows remote bad guys to log into vulnerable devices. They offer the usual work-arounds for cases where the software can not be updated: limit the source IPs that can access the admin UI or disable remote management entirely.

• FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface from Fortinet. October 10, 2022. They found that a remote bad guy had exploited the bug to download the config file from a buggy device, and to add a malicious super_admin account to it.

SEPTEMBER 2022

Really, I mean it, don't buy Cisco routers

Cisco won’t fix authentication bypass zero-day in EoL routers
by Sergiu Gatlan of BleepingComputer   September 7, 2022
We have seen this exact same thing twice before. Three strikes and you're out. Quoting: "Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL). This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices..." Buggy routers are the RV110W, RV130, RV130W, and RV215W. Cisco says to buy a new router. I agree. Any brand but theirs.

• Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers IPSec VPN Server Authentication Bypass Vulnerability a Cisco Security Advisory September 7, 2022

AUGUST 2022

Another wide ranging flaw

Exploit out for critical Realtek flaw affecting many networking devices
by Ionut Ilascu of Bleeping Computer   August 16, 2022
This is a doozy affecting many devices including routers and access points. The bug is the Realtek SDK, specifically the SIP ALG function that rewrites SDP data, which has a stack-based buffer overflow. Bad guys can remotely execute code without authentication, or just crash a vulnerable device. There is no defense on a buggy device and no easy way to tell if a device is vulnerable. The flaw is identified as CVE-2022-27255. Either there is updated firmware or it will be vulnerable forever. Routers with no open ports can be hacked. Routers that do not expose Remote Management can be hacked. Realtek issued a bug fix in March 2022, so devices made afterwards should be safe. The bug was detailed at the DEFCON conference by cybersecurity company Faraday Security. It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the System on a Chip is in products from more than 60 vendors, including ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, Zyxel, Tenda, Hikvision, Rockspace, Nexxt, Keo and others. The bug will likely affect routers the most, but some IoT devices may also be affected. Buggy devices run the open-source eCOS operating system which, as these things go, is pretty low end. It has no virtual storage and no concept of privileges. Every thread can access every memory location.

• Realtek SDK Vulnerabilities Exploited in Attacks Days After Disclosure by Eduard Kovacs of Security Week. August 23, 2021.
  Quoting: "IoT Inspector researchers identified more than a dozen vulnerabilities in the SDKs provided by Realtek to companies that use its RTL8xxx chips ... IoT inspector identified nearly 200 unique types of affected devices from a total of 65 different vendors, including routers, IP cameras, Wi-Fi repeaters and residential gateways from companies such as ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel. The firm estimated that there could be as many as one million systems that are exposed to remote attacks due to these vulnerabilities ..."
• Exploring the hidden attack surface of OEM IoT devices by Faraday. A PDF of their DEFCON slide deck.
• CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow This repository contains the materials for the talk "Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtek’s SDK for eCos OS", which was presented at DEFCON30.
• Realtek AP-Router SDK Advisory (CVE-2022-27255) (pdf) March 25, 2022. No useful information at all.

At this point, you could not pay me to use a Cisco router

Critical flaws found in four Cisco SMB router ranges - for the second time this year
by Simon Sharwood of The Register   August 5, 2022
For the second time this year, Cisco small business routers have critical flaws. Three flaws this time. The buggy models are the RV160, RV260, RV340, and RV345 Series. All three bugs have the same underlying problem, the programmers that work for Cisco are lazy. Put another way, each flaw is due to insufficient input validation. Two of the bugs are critical and a remote bad guy who does not know any passwords can totally take over the routers. Patches are available but the safest approach is to switch router vendors.

• Cisco Small Business RV Series Routers Vulnerabilities from Cisco August 3, 2022

DrayTek routers have a critical flaw

Critical RCE vulnerability impacts 29 models of DrayTek routers
by Bill Toulas of Bleeping Computer   August 4, 2022
This is the second critical security flaw in DrayTek routers that I am aware of. The bug is a Remote Code Execution flaw with a CVSS v3 severity score of 10 (out of 10). In other words, it is as bad as bad gets. Remote attackers can completely take over vulnerable routers. The flaw is a buffer overflow in the web-based management interface. The bug can be exploited both on the WAN/Internet side and on the LAN side. Bug fixes are available.

• Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers by Philippe Laulheret of Trellix. August 3, 2022. Quoting: "We also applaud DrayTek for their great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team."
• DrayTek Router unauthenticated remote code execution vulnerability (CVE-2022-32548) by DrayTek August 4, 2022

JULY 2022

Arris bugs show the company's true personality

Arris / Arris-variant DSL/Fiber router critical vulnerability exposure
by Derek Abdine   July 29, 2022
There are three different bugs in muhttpd software that runs the web administration portal. One of the bugs is critical, two are somewhat impractical to exploit. The buggy muhttpd software is used in both Arris router products and whitelabel/OEM products by other vendors. The bug has been confirmed in Arris router models NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320. Here is the bigger issue: "The complete list of affected products is unknown as Arris has declined to comment on the affected product list." Lesson learned, we don't want any products from Arris. The most severe vulnerability allows unauthenticated path traversal from the root of the file system as the root user. This exposes a whole host of sensitive information. The muhttpd software was patched in June 2022. Prior to that the last release of the software was in 2010. Arris is content to use software that had not been updated in 12 years. The path traversal bug appears to be present in the initial release of the muhttpd software in 2006. If the web portal is not available on the WAN side, the critical bug can not be exploited remotely. However, it can still be exploited on the LAN side. This is another reason for VLANs, as it lets us limited which devices can see the router on the LAN side. The Security Checklist page lists some other LAN side protections that block users/devices from getting at the router.

JUNE 2022

Throw away old Cisco small business routers

If you're using older, vulnerable Cisco small biz routers, throw them out
by Jessica Lyons Hardcastle of The Register   June 16, 2022
Cisco can not be shamed into fixing old buggy routers. A critical vulnerability exists in the web-based management interface of the Cisco RV110W, RV130, RV130W, and RV215W routers, These models went End of Life back in 2019. The bug is CVE-2022-20825 and it is due to insufficient user input validation of incoming HTTP packets. In other words, lazy programmers. In addition, there is a critical vulnerability in Cisco enterprise security appliances that could allow a remote bad guy to log in to the web management interface. This bug they will fix.

• Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerability by Cisco June 15, 2022

MAY 2022

Well, this is new

Two business-grade Netgear VPN routers have security vulnerabilities that can't be fixed
by Zeljka Zorz of Help Net Security   May 20, 2022
Quoting: "Netgear has admitted that multiple security vulnerabilities in its business-grade BR200 and BR500 VPN routers can't be fixed due to technical limitations outside of their control, and is offering users a free or discounted replacement router." Netgear does not offer details of the vulnerabilities, which were reported by Joel St. John of IncludeSecurity. To exploit the bug(s) the router administrator would have to be logged on to the router while they visited a malicious website. Advice about this has been on the home page of this website for years.

• Security Advisory for Multiple Security Vulnerabilities on BR200 and BR500, PSV-2021-0286 from Netgear. May 19, 2022.

Paying lots of money does not get you security

Hackers are exploiting critical bug in Zyxel firewalls and VPNs
by Ionut Ilascu of BleepingComputer   May 15, 2022
Jake Baines of Rapid7 discovered a bug in assorted Zyxel devices. Fixes are available. The bug was serious enough that the NSA warned Zyxel customers to patch immediately. These devices are supposed to provide security. The bug is CVE-2022-30525 and the buggy devices are the USG FLEX series, the ATP series, and the USG20-VPN/USG20w-VPN. The bug lets bads guys inject arbitrary commands remotely without authentication. One thing bad guys can do with this is to set up a reverse shell. The bug was due to un-sanitized URI input (sound familiar?) being fed into the os.system method. Rapid7 reported that there are over 15,000 vulnerable devices online. Shadowserver found over 20,000 Zyxel firewall models on the Internet that are potentially affected by the bug.

• CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection by Jake Baines of Rapid7. May 12, 2022

APRIL 2022

Yet another buggy router

Security audit of the SKYWORTH GN542VF router – how to hack the admin panel password without leaving the web browser!
by Alexey Miloserdov   April 5, 2022
The router is somewhat unusual. Each one ships with a unique password. The password is displayed on the login web page, but only if you are on the LAN side, not when you login from the WAN side. When someone logs in with the correct password from the WAN side, the router shows an error message. Sounds good, at first. However, the password is always in the login page and it is only hidden using JavaScript that can be easily manipulated with developer tools built into the web browser. And, while it does display an error when someone logs in from the WAN side, it nonetheless logs the person in. The error message is a scam. I don't know what country or ISP uses this router.

MARCH 2022

You can't make this up - another Zyxel critical bug

Zyxel urges customers to patch critical firewall bypass vulnerability
by Charlie Osborne, of ZDNet   April 1, 2022
A critical vulnerability in Zyxel firewall software has just been fixed. Buggy devices include their USG, ZyWALL, USG FLEX, ATP, VPN and NSG. The company has fixed "products that are within their warranty and support period" and did not say anything about older devices that may also be vulnerable. The bug is due to "the lack of a proper access control mechanism". Words with no meaning. The bug lets a bad guy bypass authentication and obtain administrative access. In other words, it is as bad as bad gets. Bug is CVE-2022-0342.

• Zyxel security advisory for authentication bypass vulnerability of firewalls from Zyxel. March 29, 2022

FEBRUARY 2022

Many Zyxel routers are buggy as heck

Multiple Critical Vulnerabilities in multiple Zyxel devices
by G. Hechenberger, S. Robertz, S. Viehböck and T. Weber of SEC Consult   February 15, 2022
"Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration." All told, SEC Consult found eight different types of bugs. The bugs included: multiple unauthenticated buffer overflows, two unauthenticated Local File Disclosures (which lets bad guys read all files), Unsafe Storage of Sensitive Data and a couple command injection flaws. Not enough? They also found that Zyxel fails to use OS level protection mechanisms like PIE, stack canaries and relocation read only. SEC Consult offered no workarounds (really?). They also failed to say which, if any of the bugs can be exploited from the WAN side as those are obviously more dangerous than bugs that are exploitable from the LAN side only. There are fixes for some, not all devices. Many devices will not be fixed as they are too old to bother with (EoL). Some other devices will get their bug fixes in September 2022. The timeline shows that Zyxel took over a year before they issued fixes. I am told that Zyxel consumer routers are popular in Europe, especially in the UK. The UK popularity stems from their use of BroadCom chipsets that provide a very stable VDSL2 connection over old copper wire that is prone to line noise.

• Zyxel security advisory for multiple vulnerabilities The list of buggy devices from Zyxel. Undated. Of course. We don't need no stinking dates.

Yet again, critical security flaws in Cisco routers

Cisco inferno: Networking giant reveals three 10/10 rated critical router bugs
by Simon Sharwood of The Register   February 4, 2022
Cisco reminds me of the Wizard of Oz. Seemingly great and powerful on the outside, but inside a dumpster fire of disgracefully buggy software. The buggy hardware this time are the RV160, RV260, RV340 and RV345 products. Cisco revealed that there are 15 bugs, but a handful are brutal - as bad as bad gets. Some of the bugs are fixed, but not all.

• Critical Cisco Bugs Open VPN Routers to Cyberattacks by Tara Seals for ThreatPost. Feb 3, 2022
• Cisco Small Business RV Series Routers Vulnerabilities from Cisco Feb 4,2022

JANUARY 2022

Here we go again, another bug in NetUSB affects many routers

Millions of Wi-Fi routers vulnerable to hacker attack — what you need to do
by Paul Wagenseil of Toms Guide   January 11, 2022
Consumer routers are buggy enough without also expecting them to share assorted devices plugged into their USB ports. Software that enables this sharing, NetUSB, was found to be buggy back in May 2015. NetUSB is used in many routers. Which ones? None of your business. Back in 2015, there were 26 router vendors thought to be using NetUSB. Sometimes NetUSB can be disabled via the router web interface, sometimes not. This bug is a buffer overflow and, fortunately, is hard to exploit. NetUSB opens port 20005 on the LAN side of the router. Perhaps most worrying is that some routers are double buggy and open port 20005 on the WAN/Internet side also. If so, the router can be sent commands directly, NetUSB does not do authentication. The creator of NetUSB, KCodes, was told of the buffer over-run on Sept. 9, 2021, and a patch was issued on Oct. 4th. Netgear routers, the D7800, R6400v2 and R6700v3 were patched on Dec. 20, 2021. Other vendors that license NetUSB, Edimax, D-Link, Tenda, TP-Link and Western Digital have done nothing. D-Link is looking into it. Great reason to avoid TP-Link.

• Home routers with NetUSB support could have critical kernel hole by Paul Ducklin for Naked Security Jan. 11, 2022
• CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers by Max Van Amerongen of Sentinel Labs Jan. 11, 2022
• You can test if a router has port 20005 open on the WAN side at www.grc.com/x/portprobe=20005

---