Remote Code Execution in Belkin LINKSYS RE6500 Devices
CVE-2020-35714

8.8HIGH

Key Information:

Vendor
Linksys
Status
Re6500 Firmware
Vendor
CVE Published:
26 December 2020

Summary

The Belkin LINKSYS RE6500 devices prior to version 1.0.11.001 contain a vulnerability that permits remote authenticated users to execute arbitrary commands on the device. This is achieved by leveraging the 'goform/systemCommand' endpoint in combination with the 'goform/pingstart' program, potentially exposing the device to unauthorized command execution and compromising the security of the network.

References

https://resolverblog.blogspot.com/2020/07/linksys-re6500-...
x_refsource_MISC
https://downloads.linksys.com/support/assets/releasenotes...
x_refsource_MISC
https://bugcrowd.com/disclosures/72d7246b-f77f-4f7f-9bd1-...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.