Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 OS Command Injection Vulnerability in addStaticRoute Function

A command injection vulnerability has been identified in Linksys router models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, all running specific firmware versions. The vulnerability resides in the addStaticRoute function of the /goform/addStaticRoute file, where several static route parameters can be manipulated to inject and execute arbitrary operating system commands. This issue can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary operating system command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/addStaticRoute endpoint with the staticRoute_IP_setting, staticRoute_Netmask_setting, staticRoute_Gateway_setting, staticRoute_Metric_setting, and staticRoute_destType_setting parameters. The staticRoute_destType_setting parameter should be crafted to include the desired command, such as launching a reverse shell via telnet.