Twenty different models of Linksys routers have been found to have 10 vulnerabilities classified as both “high risk” and “low risk” issues.
The vulnerabilities could allow cybercriminals to leak information about devices connected to the router, as well as overload the router itself and deny access to a user.
A senior security consultant for IOActive, Tao Sauvage discovered the issues with independent researcher Antite Petit.
“A number of the security flaws we found are associated with authentication, data sanitisation, privilege escalation, and information disclosure,” Mr Sauvage said in blog post.
“Additionally, 11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.”
The Mirai botnet affects the insecure Internet of Things devices such as cameras, routers and light bulbs.
The models affected are: EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC and the WRT1900ACS
Linksy issued the following security advisory: “As we work towards publishing firmware updates, as a temporary fix, we recommend that customers using Guest Networks on any of the affected products below temporarily disable this feature temporarily to avoid any attempts at malicious activity,” it wrote.
“We will be releasing firmware updates for all affected devices. In order for your device to receive the update as soon as it is available, please make sure you have automatic updates enabled.”
Linksys also recommends users change the default administrator password for their routers.
H/T: The Register