A path traversal bug found in Arcadyan firmware-based routers is being exploited by threat actors actively.
The Arcadyan firmware is being used by 17 brands for over 20 different models of routers, summing up to millions of devices in the wild now. However, while all these are at risk already, reports revealed that exploiting has already started against them.
Authentication Bypass Bug in Routers
In April this year, the tenable group found that a critical path traversal vulnerability in various router models puts millions of routers at risk now. Tracked as CVE-2021-20090, this vulnerability was given a severity score of 9.9/10.
— evan grant (@stargravy) August 3, 2021
Tenable detailed about this vulnerability on April 26th and released a proof of concept on August 3. Soon, attacks were reported exploiting this vulnerability existing in several models from various brands like Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus.
Existing for over 10 years, this vulnerability exists in Arcadyan’s firmware of a router’s web interface and lets an unauthenticated attacker bypass the authentication and take over the router. He then can perform any malicious tasks possible.
While the discovery was made and proof of concept was out, attacks were reportedly being carried out since February this year, as per Juniper Threat Labs. Additionally, the security research wing discovered a threat actor exploiting the vulnerability earlier this year.
They said the IP address of the attacker was traced back to a location in Wuhan, Hubei province, China. And these actors are using malicious tools to infiltrate and deploy the Mirai botnet.
Like any other botnet, the Mirai network will perform IoT-based attacks like credential dumping or DDoS attacks when needed against a target. Researchers have linked this attacker to a similar one from March, which attacked similar IoT devices and deployed the Mirai botnet.