linksys E5600 V1.1.0.26 is vulnerable to command injection in the function ddnsStatus.
The vulnerability results from insufficient validation or sanitization of input data passed to the ddnsStatus function in the router's firmware. An attacker can craft a malicious network request containing embedded system commands that will be executed by the device in the context of its operating system. Due to the network vector (AV:N) and lack of authentication (PR:N) and user interaction (UI:N) requirements, the attack can be performed remotely without any additional privileges.
An attacker can gain full control over the device — including access to sensitive configuration data, ability to modify network settings, and permanent compromise of the router (high confidentiality, integrity, and availability).
Patches available from the manufacturer should be applied in accordance with the references. Until an update is released, it is recommended to restrict access to the device management interface only to trusted IP addresses and disable remote management over the WAN network.
Linksys E5600 with firmware version V1.1.0.26
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinksys E5600
HWLinksyswszystkie wersjeLinksys E5600 Firmware
OSLinksys1.1.0.26
Related vulnerabilities
Command injection w Linksys E5600 — parametr mc.ip funkcji macClone
Command injection w Linksys E5600 via parametr hostname (DynDNS)
Command injection w Linksys E5600 — funkcja runtime.InternetConnection
Command injection w Linksys E5600 via parametr mailex funkcji DynDNS
Command injection w Linksys E5600 via parametr password funkcji DynDNS