Trend Micro researcher Ricky Lawshae took a deep dive into the firmware and was able to get the Linksys WVBR0-25 to divulge a wealth of information from the device’s web server, without requiring any sort of authentication whatsoever. There wasn’t even a login screen, just a wall of easy-to-access text, which included:
- Customer WPS PIN
- Connected clients
- Processes currently running
“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point I became pretty frustrated.
The vendors involved here should have some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent simple yet impactful bugs from reaching unsuspecting consumers.”
It gets worse, though. When the ZDI Initiative reported this security flaw to the manufacturer, rather than issuing a patch to correct it, they simply ceased all communication. After more than six months of trying, and getting nowhere, ZDI decided to publicize the vulnerability in the hopes that doing so would finally prompt the company to take action.
Until they do, about your only option (aside from simply canceling your service) is to limit the number of devices that can interact with Linksys WVBR0-25 so as to limit your exposure.