Johannes Ullrich

**Name of the Vulnerable Software and Affected Versions** Linksys E-Series routers versions prior to a firmware update Linksys E4200 Linksys E3200 Linksys E3000 Linksys E2500 Linksys E2100L Linksys E2000 Linksys E1550 Linksys E1500 Linksys E1200 Linksys E1000 Linksys E900 **Description** An OS command injection issue exists in Linksys E-Series routers. The vulnerability is present in the `/tmUnblock.cgi` and `/hndUnblock.cgi` API endpoints accessible via HTTP on port 8080. The scripts do not properly sanitize user-supplied input provided through the `ttcp ip` parameter, allowing unauthenticated attackers to inject shell commands. This issue is actively exploited in the wild by the “TheMoon” worm, which deploys a MIPS ELF payload to achieve arbitrary code execution on the router. The worm is actively exploiting this flaw to infect devices. **Recommendations** For Linksys E4200 routers, segment and monitor the network. For Linksys E3200 routers, segment and monitor the network. For Linksys E3000 routers, segment and monitor the network. For Linksys E2500 routers, segment and monitor the network. For Linksys E2100L routers, segment and monitor the network. For Linksys E2000 routers, segment and monitor the network. For Linksys E1550 routers, segment and monitor the network. For Linksys E1500 routers, segment and monitor the network. For Linksys E1200 routers, segment and monitor the network. For Linksys E1000 routers, segment and monitor the network. For Linksys E900 routers, segment and monitor the network. At the moment, there is no information about a newer version that contains a fix for this vulnerability.