CyberSecurityNews

Hackers Can Exploit Motorola MR2600 Firmware Update Process to Gain Code Execution


A newly disclosed unauthenticated remote code execution vulnerability in Motorola MR2600 Wi-Fi routers allows attackers on the local network to upload and install a malicious firmware image without logging in to the router’s administration panel.

According to researcher MrBruh, the Motorola MR2600 Wi-Fi router, whose latest firmware was released in mid-2024, contains a vulnerability in its firmware upload and validation functions.

The attack uses a two-stage firmware update process. First, an attacker sends a specially formatted request to the router’s firmware upload endpoint.

The router is designed to accept firmware images in the SEAMA format and checks for expected header values before accepting an upload.

However, the firmware upload handler incorrectly validates the full HTTP multipart request rather than extracting and checking the uploaded file itself.

Motorola MR2600 Firmware Exploit

Since normal multipart requests begin with boundary characters, legitimate uploads may fail the expected file-header check. An attacker can bypass this behavior by declaring a multipart upload but submitting the raw firmware image directly.

Although the router performs an authentication check after receiving the upload, the check occurs too late. By that point, the uploaded firmware file has already been saved to the router’s temporary storage path.

The device does not remove the file when authentication fails, leaving the malicious image available for the next stage of the attack.

The second issue affects the router’s firmware validation SOAP endpoint. This endpoint should require authentication before it validates and flashes the image saved on the device. However, the authentication logic uses inconsistent URL matching rules.

The router checks whether a requested path contains an allowlisted string. However, it evaluates the protected firmware endpoint by comparing paths exactly.

An attacker can append an allowlisted page name as a URL parameter, causing the router to treat a protected request as publicly accessible.

After bypassing authentication, the attacker can trigger the router’s internal firmware validation function. The device checks the SEAMA image structure and CRC32 checksum before calling its firmware-writing utility.

Because the process does not require cryptographic firmware signing, an attacker can create a valid-looking malicious image that passes these checks. Once flashed, the router reboots and begins running attacker-controlled firmware.

This can provide persistent code execution, enabling an attacker to modify network settings, monitor traffic, deploy malware, or use the router as a foothold for attacks against other devices.

The exploit can be launched by an unauthenticated attacker on the local network. It may also be exploitable over the internet when remote management is enabled.

According to researcher MrBruh’s report, Shodan identified Motorola MR2600 routers exposed online with remote administration enabled at the time of publication.

Motorola’s MR2600 is reportedly end-of-life, and the researcher encountered confusion when attempting to report the issue to Motorola Mobility and Motorola Solutions.

Both organizations reportedly directed the report to the other division, leaving the vulnerability without a confirmed vendor response.

Organizations and home users should immediately turn off remote management on MR2600 routers, restrict administrative access to trusted networks, and consider replacing affected devices with supported hardware.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link