Login Sign Up

CVE-2023-31740

7.2 HIGH
Remote Code Execution

📋 TL;DR

This is a command injection vulnerability in Linksys E2000 routers that allows authenticated attackers to execute arbitrary commands with shell privileges. Attackers with web management access can inject commands through specific parameters in the apply.cgi interface. Only Linksys E2000 routers with firmware version 1.0.06 are affected.

💻 Affected Systems

Products:
  • Linksys E2000
Versions: Firmware version 1.0.06
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires web management access; default credentials increase risk significantly.

📦 What is this software?

E2000 Firmware by Linksys

View all CVEs affecting E2000 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal network devices, or use the router for botnet activities.

🟠

Likely Case

Attackers with stolen or default credentials gain shell access to modify router settings, intercept traffic, or use the router as a foothold for internal network attacks.

🟢

If Mitigated

With strong authentication and network segmentation, impact is limited to the router itself without allowing lateral movement to other systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication but is trivial to execute once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://linksys.com

Restart Required: No

Instructions:

Check Linksys website for firmware updates. If no patch exists, consider replacing the router with a supported model.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to web management interface

Access router admin panel > Administration > Management > Disable Remote Management

Change Default Credentials

all

Use strong, unique passwords for router administration

Access router admin panel > Administration > Management > Change Password

🧯 If You Can't Patch

  • Segment router on isolated network segment to limit lateral movement
  • Implement network monitoring for suspicious traffic to/from router

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel > Administration > Firmware Upgrade

Check Version:

curl -s http://router-ip/version.cgi | grep Firmware

Verify Fix Applied:

Verify firmware version is no longer 1.0.06

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to apply.cgi with WL_atten parameters
  • Multiple failed login attempts followed by successful login

Network Indicators:

  • Unusual outbound connections from router IP
  • Traffic patterns suggesting command execution

SIEM Query:

source="router-logs" AND (uri="/apply.cgi" AND (param="WL_atten_bb" OR param="WL_atten_radio" OR param="WL_atten_ctl"))

📊 Metadata

CVE ID: CVE-2023-31740
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: May 23, 2023
Last Updated: January 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31740, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)