What is it?
A vulnerability in multiple Linksys routers that is currently being exploited by a worm known as “TheMoon.”
How does it work?
The web-based management interface of the routers provides the tmUnblock.cgi script. This can be accessed remotely by unauthenticated attackers and contains a command injection vulnerability through the ‘ttcp_ip’ parameter. This allows execution of arbitrary commands on the device.
Should I be worried?
Multiple E-Series and other models are known to be vulnerable, but a full overview of all affected models is not available at the time of writing. Check if the router has the affected script and, if so, consider it vulnerable. Reports indicate that hndUnblock.cgi may be similarly affected, so check if this exists too.
How can I prevent it?
At the time of writing, there are no known fixes. Users can reduce exposure by configuring routers to not permit external access to the web-based interface.