CVE-2020-35714 – This vulnerability allows remote authenticated ... (How to Fix)

Q: What is the severity of CVE-2020-35714?

CVE-2020-35714 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote authenticated users to execute arbitrary commands on Belkin LINKSYS RE6500 devices via the web interface. Attackers can inject commands through the systemCommand parameter, potentially gaining full control of affected routers. Users with RE6500 devices running firmware versions before 1.0.11.001 are affected.

📋 TL;DR

This vulnerability allows remote authenticated users to execute arbitrary commands on Belkin LINKSYS RE6500 devices via the web interface. Attackers can inject commands through the systemCommand parameter, potentially gaining full control of affected routers. Users with RE6500 devices running firmware versions before 1.0.11.001 are affected.

💻 Affected Systems

Products:

Belkin LINKSYS RE6500

Versions: All versions before 1.0.11.001

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface, but default credentials or other vulnerabilities could provide this access.

📦 What is this software?

Re6500 Firmware by Linksys

View all CVEs affecting Re6500 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Attackers gain administrative access to the router, modify network settings, intercept credentials, and potentially compromise connected devices.

🟢

If Mitigated

Limited to authenticated users only, but still allows privilege escalation and command execution within the router's context.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and authenticated access could be obtained through default credentials or other vulnerabilities.

🏢 Internal Only: MEDIUM - If the web interface is only accessible internally, risk is reduced but still significant for authenticated attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is simple to execute via HTTP requests to specific endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.11.001 and later (specifically 1.0.012.001 mentioned in release notes)

Vendor Advisory: https://downloads.linksys.com/support/assets/releasenotes/ExternalReleaseNotes_RE6500_1.0.012.001.txt

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Administration > Firmware Upgrade. 3. Download firmware version 1.0.012.001 or later from Linksys website. 4. Upload and install the firmware. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevents external access to the web interface where the vulnerability exists.

Change Default Credentials

all

Mitigates risk by preventing unauthorized authenticated access to the vulnerable interface.

🧯 If You Can't Patch

Isolate the RE6500 router on a separate network segment with strict firewall rules
Implement network monitoring for unusual HTTP requests to goform/systemCommand or goform/pingstart endpoints

🔍 How to Verify

Check if Vulnerable:

Check current firmware version via web interface at Administration > Firmware Upgrade or via SSH if enabled. Version should be 1.0.11.001 or higher.

Check Version:

curl -s http://router-ip/status.cgi | grep -i firmware || ssh admin@router-ip 'cat /etc/version'

Verify Fix Applied:

After patching, verify firmware version shows 1.0.11.001 or later. Test that systemCommand parameter no longer executes arbitrary commands.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'goform/systemCommand' or 'goform/pingstart' with command parameters
Unusual command execution in router logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP POST requests to router IP on port 80/443 with command injection patterns
Unusual outbound connections from router to external IPs

SIEM Query:

source="router_logs" AND ("goform/systemCommand" OR "goform/pingstart") AND command=*

📊 Metadata

CVE ID: CVE-2020-35714

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: December 26, 2020

Last Updated: November 21, 2024

🔗 References

https://bugcrowd.com/disclosures/72d7246b-f77f-4f7f-9bd1-fdc35663cc92/linksys-re6500-unauthenticated-rce-working-across-multiple-fw-versions Third Party Advisory
https://downloads.linksys.com/support/assets/releasenotes/ExternalReleaseNotes_RE6500_1.0.012.001.txt Release Notes,Vendor Advisory
https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html Exploit,Third Party Advisory
https://bugcrowd.com/disclosures/72d7246b-f77f-4f7f-9bd1-fdc35663cc92/linksys-re6500-unauthenticated-rce-working-across-multiple-fw-versions Third Party Advisory
https://downloads.linksys.com/support/assets/releasenotes/ExternalReleaseNotes_RE6500_1.0.012.001.txt Release Notes,Vendor Advisory
https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35714, you might also want to check these: