Threat of the month: Linksys router zero-day

Share this article:
Threat of the month: Credentials theft
Threat of the month: Credentials theft

What is it?

A vulnerability in multiple Linksys routers that is currently being exploited by a worm known as “TheMoon.”

How does it work?

The web-based management interface of the routers provides the tmUnblock.cgi script. This can be accessed remotely by unauthenticated attackers and contains a command injection vulnerability through the ‘ttcp_ip' parameter. This allows execution of arbitrary commands on the device.

Should I be worried?

Multiple E-Series and other models are known to be vulnerable, but a full overview of all affected models is not available at the time of writing. Check if the router has the affected script and, if so, consider it vulnerable. Reports indicate that hndUnblock.cgi may be similarly affected, so check if this exists too.

How can I prevent it?

At the time of writing, there are no known fixes. Users can reduce exposure by configuring routers to not permit external access to the web-based interface.

Share this article:
close

Next Article in Threat of the Month

Sign up to our newsletters

More in Threat of the Month

Threat of the month: Network deperimeterization

Threat of the month: Network deperimeterization

Security professionals should be aware of network deperimeterization, which decreases the usefulness of network edge security devices and increases the potential for device infection and data loss.

Threat of the month: Drive-by download

Threat of the month: Drive-by download

The pervasiveness of drive-by downloads has made it our threat of the month for May.

Threat of the month: Java vulnerabilities

Threat of the month: Java vulnerabilities

For March's threat of the month, Secunia's Kasper Lindgaard believes Java vulnerabilities should be at the top of everyone's radar.