Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.InternetConnection function.
The vulnerability results from improper validation or lack of sanitization of input data passed to the runtime.InternetConnection function in the router firmware. An attacker can provide crafted input containing malicious system commands that will be executed in the context of the device operating system. Due to the network vector (AV:N) and lack of authentication requirements (PR:N) and user interaction (UI:N), the attack can be conducted remotely without any privileges.
Successful exploitation of this vulnerability may allow an attacker to gain complete control over the device, including reading and modifying configuration data, installing malicious software, and using the router as an entry point to the local network.
Apply patches available from the manufacturer according to the references. Until the update is applied, it is recommended to restrict access to the device management interface only to trusted IP addresses and disable remote management from the WAN network side.
Linksys E5600 with firmware version v1.1.0.26
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinksys E5600
HWLinksyswszystkie wersjeLinksys E5600 Firmware
OSLinksys1.1.0.26
Related vulnerabilities
Command injection w Linksys E5600 — parametr mc.ip funkcji macClone
Command injection w Linksys E5600 — funkcja ddnsStatus
Command injection w Linksys E5600 via parametr hostname (DynDNS)
Command injection w Linksys E5600 via parametr mailex funkcji DynDNS
Command injection w Linksys E5600 via parametr password funkcji DynDNS