An unauthenticated reboot flaw has potentially left millions of ARRIS SURFboard modems vulnerable to a simple attack.

The bug exists in the SURFboard 6141 and SURFboard 5100 modems as a result of the devices’ lack of authentication and its susceptibility to cross site request forgery attacks, according to a Security for Real People blog post penned by researcher David Longenecker. 

He that the flaw makes it easy to remotely reboot a modem without even using a password.

He said an attacker can simply browse the devices’ IP address from the local network to access both diagnostic data and the web user interface which includes a reboot function.

ARRIS has reportedly updated the SB6141 firmware and is in the process of making it available to service providers since cable modems aren’t “consumer-updateable.”

Longenecker recommended that users not click on unexpected or untrusted links until the flaw is patched.