A recently disclosed vulnerability in routers running Arcadyan firmware is currently being exploited in the wild by unknown threat actors.
The vulnerability, which was disclosed by Tenable researchers on August 3, has been around for at least a decade. Affected are at least 20 router models from 17 vendors, including Verizon, Vodafone, Telus, Telstra, Asus, Beeline, British Telecom, Deutsche Telekom, Buffalo, Orange. The flaw in question, known under the CVE-2021-20090 identifier, is critical, with a CVSS score of 9.9.
What Is CVE-2021-20090?
CVE-2021-20090 is a path traversal vulnerability in the web interfaces of routers running Arcadyan firmware. The flaw could allow unauthenticated remote hackers to bypass authentication. Hackers are currently exploiting it in DDoS attacks against home routers, infecting them with a variant of the infamous Mirai botnet. The result is DDoS attacks. Successful exploitation would grant the unknown hackers with access to sensitive information, such as valid request tokens. Once obtained, these could be then used to make requests to alter the affected router’s settings.
Attacks Exploiting CVE-2021-20090
On August 6, Juniper recearchers “identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China.” It appeared that the hackers were attempting to deploy a Mirai variant in a manner similar to an attack disclosed by Palo Alto Networks in March 2021.
“We had witnessed the same activity starting February 18. The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability. Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out,” Juniper said.
Other Vulnerabilities Exploited Alongside CVE-2021-20090
It seems that this path traversal issue in Arcadyan-running routers is not the only one that the unidentified hackers have exploited in the past. Other vulnerabilities include CVE-2020-29557 in D-Link DIR-825 R1 devices, CVE-2021-1497 and CVE-2021-1498 in Cisco HyperFlex HX, CVE-2021-31755 in Tenda AC11, CVE-2021-22502 in Micro Focus Operation Bridge Reporter, and CVE-2021-22506 in Micro Focus Access Manager.
To avoid any risks stemming for any vulnerability, users should update their router firmware to the latest version as soon as a patch is made available.
It is noteworthy that last month Microsoft disclosed a series of security flaws in Netgear routers. The flaws could lead to data leaks and full system takeovers. Fortunately, the vulnerabilities were patched prior to public disclosure.