Skip to main content

Millions of home routers could be hacked by this simple bug

Botnet
(Image credit: Shutterstock / BeeBright)

Cybersecurity researchers have shared details about threat actors actively exploiting a critical authentication bypass vulnerability in the Arcadyan firmware in routers to add them to the Mirai botnet.

The vulnerable devices include several routers from multiple vendors and ISPs, including Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus.

Based on the list of vendors, researchers from Juniper Threat Labs estimate that the bug probably impacts millions of routers.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The researchers came across the attack exploiting the vulnerability while tracking the activity of a threat actor that’s known for targeting network and Internet of Things (IoT) devices.

Useful strategy

The vulnerability tracked as CVE-2021-20090 is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. With a score of 9.9/10, the vulnerability could be exploited to allow unauthenticated remote attackers to bypass authentication.

The security flaw was discovered by Tenable, which published a security advisory back in April, and published a proof of concept (PoC) exploit code earlier in August.

A couple of days after the publication of the PoC, Juniper Threat Labs identified some attack patterns that attempted to exploit the vulnerability, originating from an IP address located in Wuhan, Hubei province, China.

The researchers believe the threat actors behind this ongoing exploitation activity use malicious tools to deploy a Mirai botnet variant, originally discovered by researchers from Palo Alto’s Unit42 in March. 

Juniper believes the renewed interest shows that the threat actor is now using the new vulnerability to upgrade their infiltration arsenal.

"Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out,” believes Juniper.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.