CVE-2022-38132

Name of the Vulnerable Software and Affected Versions Linksys MR8300 Router version 1.0

Description A command injection issue exists in the Linksys MR8300 router during the registration process for the DDNS Service. An attacker connected to the router's web interface can execute arbitrary OS commands by specifying the username and password. The username and password fields are not properly sanitized and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file on the device.

Recommendations For Linksys MR8300 Router version 1.0, as a temporary workaround, consider disabling the DDNS Service registration functionality until a patch is available. Restrict access to the router's web interface to minimize the risk of exploitation. Avoid using the username and password fields in the affected registration process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.