He added, “What I found was so terrible, awful, and completely inexcusable! It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!” He said that after hooking it up, he spent about 30 minutes testing the security of the embedded website used to manage the device, then never used it again after discovering five major vulnerabilities in the device. “I chose the Linksys EA2700 Network Manager N600 Wi-Fi Wireless-N Router because it is a major brand device, and was recently released in March 2012, making it an easy choice for home users looking for an easy to use home Wi-Fi router.”
“During my research process, I thought it would be good to take a look at how Cisco's newer devices did in regards to securing their administration features,” said Purviance. Purviance also decided to look beyond that router to see if he could turn up any additional issues.
“The latest firmware version 4.30.16 (build 4) remains vulnerable to the attack, dubbed Cross-Site File Upload (CSFU).” He informed then-Linksys owner Cisco of the issue, and while Linksys has published a patch to the router, “as the change log indicates, the patch only addressed an unrelated XSS issue,” Purviance said in a blog post.
