CVE-2019-16340
📋 TL;DR
This vulnerability in Belkin Linksys Velop devices allows remote attackers to bypass authentication and retrieve the recovery key via direct access to /sysinfo_json.cgi. This affects all users of Linksys Velop 1.1.8.192419 firmware who haven't updated to a patched version. The recovery key could enable further system compromise.
💻 Affected Systems
- Belkin Linksys Velop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the router, intercept all network traffic, install malware on connected devices, and pivot to internal networks.
Likely Case
Attackers retrieve the recovery key, potentially enabling password reset or configuration changes, leading to network disruption or credential theft.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to the router itself without lateral movement to other systems.
🎯 Exploit Status
Exploitation requires only a single HTTP GET request to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.9.195026
Vendor Advisory: https://www.linksys.com/us/support-article?articleNum=207568
Restart Required: Yes
Instructions:
1. Log into Linksys Velop admin interface. 2. Navigate to Connectivity > Firmware Update. 3. Check for updates and install version 1.1.9.195026 or later. 4. Reboot the device after update completes.
🔧 Temporary Workarounds
Block External Access
allConfigure firewall to block external access to Velop admin interface (typically port 80/443).
Network Segmentation
allPlace Velop devices on isolated management VLAN separate from user devices.
🧯 If You Can't Patch
- Disable remote administration and ensure admin interface is only accessible from trusted internal networks.
- Implement strict network monitoring for unauthorized access attempts to /sysinfo_json.cgi endpoint.
🔍 How to Verify
Check if Vulnerable:
Access http://[velop-ip]/sysinfo_json.cgi from a browser. If it returns JSON containing recovery key without authentication, device is vulnerable.Check Version:
Log into admin interface and check Firmware Version under Connectivity section.Verify Fix Applied:
After update, attempt same request. Should return authentication error or not expose recovery key.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /sysinfo_json.cgi from unauthorized IPs
- Failed authentication attempts followed by successful sysinfo access
Network Indicators:
- Unusual external traffic to router admin port
- HTTP requests to /sysinfo_json.cgi from non-trusted sources
SIEM Query:
sourceIP=* AND destinationPort=80 AND urlPath="/sysinfo_json.cgi"🔗 References
- http://s3.amazonaws.com/downloads.linksys.com/support/assets/releasenotes/WHW03_A03_Velop_Customer_Release_Notes_1.1.9.195026.txt
- https://puzzor.github.io/Linksys-Velop-Authentication-bypass
- https://www.linksys.com/us/support-article?articleNum=207568
- http://s3.amazonaws.com/downloads.linksys.com/support/assets/releasenotes/WHW03_A03_Velop_Customer_Release_Notes_1.1.9.195026.txt
- https://puzzor.github.io/Linksys-Velop-Authentication-bypass
- https://www.linksys.com/us/support-article?articleNum=207568
