Aaron Weathersby

**Name of the Vulnerable Software and Affected Versions** Linksys WRT1900ACS version 1.0.3.187766 **Description** An issue exists where an unauthenticated user can access a confidential file `setup.js.localized` at the `/ui/1.0.99.187766/dynamic/js/` endpoint, allowing an attacker to obtain a list of possible default guest network passwords. This list, combined with a random 2-digit number, can be used to brute force access to the router's guest network. **Recommendations** For Linksys WRT1900ACS version 1.0.3.187766, consider restricting access to the `/ui/1.0.99.187766/dynamic/js/` endpoint to prevent unauthorized users from accessing the `setup.js.localized` file until a patch is available. Additionally, changing the default guest network password to a strong, unique password can help mitigate the risk of brute force attacks.