Linksys NTP Command Injection Vulnerability in RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000 Routers

A critical command injection vulnerability has been identified in Linksys router models RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000, all running specific firmware versions. The vulnerability resides in the NTP function of the /goform/NTP file, where several time-related parameters can be manipulated to inject and execute arbitrary operating system commands. This issue can be exploited remotely, and the vulnerability has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device's operating system.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/NTP endpoint with the 'manual_year_select' parameter set to a crafted command, such as one that initiates a reverse shell. The router will execute the injected command, providing access to the device's command line interface.