Researchers find 10 security vulnerabilities across 25 Linksys routers
Researchers find 10 security vulnerabilities in 25 Linksys routers
Security researchers IOActive Labs have discovered 10 security vulnerabilities across 25 Linksys routers. Four from Linksys’ WRT series are affected, and 21 from the EA series (the full list is below).
Six of the 10 vulnerabilities can grant remote access to attackers, including the ability to DOS the router and make it unresponsive, as well as inject and execute commands on the router with root privileges. But fortunately, the command injection vulnerability can only be achieved if the attackers have access to an existing admin account, which means that if you’ve changed the default Administrator password you should be protected (and you’re not protected if you haven’t).
IOActive Labs disclosed the vulnerabilities to Linksys in January this year and notes that, “Linksys has been exemplary in handling the disclosure,” and that the company is taking security seriously. However, three months after the disclosure Linksys still doesn’t have a firmware fix for these vulnerabilities.
On their security advisory, Linksys suggests that owners do these in the meantime:
1. Enable automatic updates
2. Disable Wi-Fi Guest Network if not in use
3. Change the default Administrator password
These are the 25 Linksys routers affected:
WRT Series
- WRT1200AC
- WRT1900AC
- WRT1900ACS
- WRT3200ACM
EAxxxx Series
- EA2700
- EA2750
- EA3500
- EA4500 v3
- EA6100
- EA6200
- EA6300
- EA6350 v2
- EA6350 v3
- EA6400
- EA6500
- EA6700
- EA6900
- EA7300
- EA7400
- EA7500
- EA8300
- EA8500
- EA9200
- EA9400
- EA9500