More than a hundred vulnerabilities have been found in small office/home office (SOHO) routers and network-attached storage devices (NAS) from vendors that include Asus, Zyxel, Lenovo, Netgear and other top names, which open them up to remote attackers.
That’s according to Independent Security Evaluators, which pen-tested 13 different models, resulting in 125 different CVEs. The targets ranged from devices designed for general consumers to high-end devices designed for enterprise use; and across the board, the results were not pretty.
“All 13 of the devices we evaluated had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel,” the researchers said in a paper released on Monday. “We obtained root shells on 12 of the devices, allowing complete control over the device, including six which can be remotely exploited without authentication: The Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.”