This venerable security vulnerability has exposed millions of routers to attack

Cybersecurity
(Image credit: Shutterstock / song_about_summer)

 A 12-year-old security vulnerability may be affecting routers built by “dozens of manufacturers”, exposing millions of users worldwide. 

According to researchers from security firm Tenable, the CVE-2021-20090 vulnerability made its way into modern routers due to the reusing of old (and insecure) software code.

The experts believe it could affect at least 20 different devices across 17 different vendors, including Internet Service Providers (ISP) in Argentina, Australia, Canada, Germany, Japan, Mexico, Netherlands, New Zealand, Russia, Spain, and the US.

The vulnerability is a path traversal/authentication bypass, which allows attackers to reconfigure the target router and have it serve malicious content to end users. They could also use it to attack devices connected to the router’s Local Area Network (LAN). With a little additional motivation, the report states, the attackers could also use the authentication bypass to access features that could lead them to further vulnerabilities.

“Given the current trend for a remote, home based, workforce,” the report states, “this not only impacts consumers but has the potential to expose organizations to further uncontrolled risk.”

For Evan Grant, staff research engineer at Tenable, this is absolutely the vendors’ responsibility, and they now need to step up and take action.

“Consumers shouldn’t have to worry that their ISP-provided device will leave them, or their employers, open to attack,” he said. 

Vendor responsibility

“The vendors affected should be taking steps to mitigate the impact of these vulnerabilities on themselves, and their customers. Beyond that, collaboration across all stakeholders — manufacturers, vendors, security researchers — is imperative to overcome the difficulties of reporting vulnerabilities found in shared software libraries and remediate all affected products efficiently.”

But it’s not just the problem of a handful of vendors, the report concludes. This is an industry-wide problem, as there are “significant downstream effects” that come with reused vulnerable software code.

Small and medium-sized businesses, should they fall victim to these attacks, could end up losing sensitive data, as well as revenue. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
China
Juniper patches security flaws which could have let hackers take over your router
A VPN runs on a mobile phone placed on a laptop keyboard
Major new online tunneling vulnerability could put millions of devices at risk
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.
Thousands of SonicWall VPN devices are facing worrying security threats
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Latest in Pro
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Racks of servers inside a data center.
Modernizing data centers: an efficient path forward
Dr. Peter Zhou, President of Huawei Data Storage Product Line
Why AI commonization is so important for business intelligent transformation and what Huawei’s data storage has to offer
Wix automation
The world's leading website builder aims to save businesses time with new tool
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over