Linksys RE6500 - CVE-2020-35713 CVE-2020-35714 CVE-2020-35715 CVE-2020-35716 - Unauthenticated RCE: Full Disclosure

Linksys RE6500 is a pretty new range extender build by Linksys, well, more properly by Belkin. An USA product built just a few thousand km east in the "suicide factory" (the Foxconn factory, China)

My goal was to archive a personal need a telnet access, I never expected to come across such a big security hole holes, more properly because between poorly implemented backdoor ( goform/j78G-DFdg_24Mhw3?password= ) and lousy code, in the end I discovered a few security flaws.

tl;dr

li a0, "RCE"

jmp a0

Index

0 - Encrypted Firmware

1 - Code injection into diagnostic (ping webpage)

2 - Code injection in config file upload

3 - Persistent webui DOS potentially exploitable

4 - Unauthenticated RCE

5 - Extra: Download latest beta firmware for any Linksys products