More than 25,000 Linksys Smart Wi-Fi routers are currently impacted by an information disclosure vulnerability which allows remote and unauthenticated access to a vast array of sensitive device information.

This issue is very similar to a Linksys SMART WiFi firmware security issue from 2014 tracked as CVE-2014-8244 which allowed "remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request."

However, as Bad Packets' security researcher Troy Mursch discovered, although that flaw was supposedly fixed about five years ago, the vulnerability is still there. To make things even worse, as Mursch says, the Linksys security team tagged his vulnerability report as "Not applicable / Won’t fix" and closed the issue.

Leaked sensitive information sample

As the researcher discovered, the 25,617 vulnerable Linksys Smart Wi-Fi routers he found using the BinaryEdge are exposing sensitive device information like:

• MAC address of every device that’s ever connected to it (full historical record, not just active devices)

• Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)

• Operating system (such as “Windows 7” or “Android”)

• WAN settings, firewall status, firmware update settings, and DDNS settings

• Additional metadata is logged such as device type, model number, and description

The leaked sensitive information can be accessed by opening a vulnerable Linksys Smart Wi-Fi router's login interface in a web browser and by clicking on the JNAP requests in the left sidebar.

As Mursch also stated in his report, "This sensitive information disclosure vulnerability requires no authentication and can exploited by an attacker with little technical knowledge."

Vulnerable Linksys routers

The researcher found the vulnerable Linksys routers in 146 countries, on the networks of 1,998 internet service providers, with 11,834 of them being discovered in the United States, 4,942 in Chile, 2,068 in Singapore, and 1,215 in Canada.

The rest of the countries were vulnerable Smart Wi-Fi routers were found had under 500 of them accessible from the Internet, with 462 in Hong Kong, 440 in the United Arab Emirates, 280 in Qatar, 255 Russia, 225 in Nicaragua, and 203 in the Netherlands, with the rest of the countries amassing the rest of the 3,723 vulnerable devices.

Mursch also detected thousands of other Linksys Smart Wi-Fi routers which are using the default admin password and can be immediately taken over by potential attackers.

Once a cybercriminal gets control of one of them, the compromised Linksys Smart Wi-Fi routers will allow the attacker to:

• Obtain the SSID and Wi-Fi password in plaintext

• Change the DNS settings to use a rogue DNS server to hijack web traffic

• Open ports in the router’s firewall to directly target devices behind the routers (example: 3389/tcp for Windows RDP)

• Use UPnP to redirect outgoing traffic to the threat actors’ device

• Create an OpenVPN account (supported models) to route malicious traffic through the router

• Disable the router’s internet connection or modify other settings in a destructive manner

Map of vulnerable Linksys Smart Wi-Fi routers

Mursch says that there is still good news even though Linksys might not want to fix the flaw seeing that 14,387 of the total of 25,617 vulnerable routers "currently have automatic firmware updates enabled." This means that if the company will patch the vulnerability in the future, over 14K of them will receive the security update and will be protected automatically.

There's also bad news too though, since "typical recommendation of keeping your router’s firmware up-to-date is not applicable in this case as no fix is available," as Mursch concludes.

Additionally, "Disabling remote web access as a workaround is not an option because Linksys Smart Wi-Fi routers require it for the Linksys App to function."