A critical command injection vulnerability has been identified in multiple Linksys products, including the E5600 router. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on the affected device, potentially leading to a complete system compromise. Successful exploitation could grant an attacker full control over the network device, enabling them to intercept traffic, attack other systems on the network, or disrupt connectivity.

This vulnerability is a command injection flaw within the ddnsStatus function of the device's firmware. The function fails to properly sanitize user-supplied input related to the Dynamic DNS (DDNS) service. An unauthenticated remote attacker can send a specially crafted request to the device's management interface, injecting malicious shell commands into the input fields processed by the ddnsStatus function. These commands are then executed on the underlying operating system with the privileges of the device's web server, which often runs as root, leading to a full system takeover.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant risk to the organization. An attacker who successfully exploits this flaw can gain complete administrative control over the network infrastructure device. The potential consequences include interception and theft of sensitive data traversing the network, using the compromised router as a pivot point to launch attacks against internal assets, disrupting network availability (Denial of Service), and installing persistent backdoors or malware. Compromised devices could also be absorbed into a botnet for use in larger-scale attacks against other targets.

Immediate Action: Immediately apply the latest firmware updates provided by the vendor across all affected Linksys devices. Consult the official Linksys support website to identify and download the appropriate patches for your specific models. After patching, monitor system and access logs for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring:

• Log Analysis: Review device logs for unusual entries related to the DDNS service, specifically looking for malformed hostnames or input containing shell metacharacters (e.g., ;, |, &&, $()).
• Network Traffic: Monitor for anomalous outbound traffic originating from the router itself, such as connections to unknown or suspicious IP addresses which could indicate a command-and-control (C2) channel.
• System Behavior: Use an Intrusion Detection/Prevention System (IDS/IPS) to detect and alert on common command injection payloads targeting web interfaces.

Compensating Controls:

• If patching is not immediately feasible, disable the DDNS feature on the device to remove the vulnerable attack vector.
• Restrict access to the device's web administration interface to a dedicated, trusted management network.
• Disable remote (WAN-side) management to prevent attackers on the internet from reaching the vulnerable interface.

Public Exploit Available: false

The critical severity (CVSS 9.8) of this vulnerability warrants immediate attention and action. We strongly recommend that organizations prioritize the deployment of the vendor-supplied firmware updates to all affected Linksys devices. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion. Due to the high risk of complete network compromise, remediation should be treated as an emergency change.