Multiple Modem Routers Vulnerable to Unauthenticated Attacks

Published on July 21, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Researchers warn about a critical path traversal vulnerability affecting modems made by Arcadyan which use the same buggy firmware. The flaw is being tracked as CVE-2021-20090 and has a CVSS v3 score of 8.1 (critical). The vulnerability allows an attacker to bypass authentication on a target device remotely, potentially accessing private pages, sensitive information, tokens, or even altering the router settings. The discovery of this comes from the Tenable team, who also found two more flaws (91 and 92) that have a more limited impact (only Buffalo WSR-2533DHPL2).

The modem router devices that are vulnerable to CVE-2021-20090 are the following:

Vendor Device Vulnerable Version
ADB ADSL wireless IAD router 1.26S-R-3P
Arcadyan ARV7519 00.96.00.96.617ES
Arcadyan VRV9517 6.00.17 build04
Arcadyan VGV7519 3.01.116
Arcadyan VRV9518 1.01.00 build44
ASMAX BBR-4MG / SMC7908 ADSL 0.08
ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
ASUS DSL-AC3100 1.10.05 build503
ASUS DSL-AC68VG 5.00.08 build272
Beeline Smart Box Flash 1.00.13_beta4
British Telecom WE410443-SA 1.02.12 build02
Buffalo WSR-2533DHPL2 1.02
Buffalo WSR-2533DHP3 1.24
Buffalo BBR-4HG
Buffalo BBR-4MG 2.08 Release 0002
Buffalo WSR-3200AX4S 1.1
Buffalo WSR-1166DHP2 1.15
Buffalo WXR-5700AX7S 1.11
Deutsche Telekom Speedport Smart 3 010137.4.8.001.0
HughesNet HT2000W 0.10.10
KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
KPN VGV7519 3.01.116
O2 HomeBox 6441 1.01.36
Orange LiveBox Fibra (PRV3399) 00.96.00.96.617ES
Skinny Smart Modem (Arcadyan VRV9517) 6.00.16 build01
SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
TelMex PRV33AC 1.31.005.0012
TelMex VRV7006
Telstra Smart Modem Gen 2 (LH1000) 0.13.01r
Telus WiFi Hub (PRV65B444A-S-TS) v3.00.20
Telus NH20A 1.00.10debug build06
Verizon Fios G3100 1.5.0.10
Vodafone EasyBox 904 4.16
Vodafone EasyBox 903 30.05.714
Vodafone EasyBox 802 20.02.226

Tenable found out about this in January 2021 and reported the issue to the manufacturers in the months that followed. The more digging they did, the more device models and vendors were added to the list, and today, the advisory is considered to have its final form, including a total of nine modem router vendors.

The solution to the problem can only come via firmware updates, but this hasn’t been made available by all vendors and for all of the affected models. In some cases, we’re talking about EOL products, so these will have to be replaced by new ones. If you’re using any of the modems presented in the list, go ahead and check for any available firmware updates. If you’re running a vulnerable version and there’s no patch available to apply, you should be able to mitigate the risk by disabling the WAN-side administration services on your router as well as the web interface on the WAN.

As always, keep an eye on your modem vendor’s security advisory page and apply patches as soon as they’re made available. Now that the flaw has been published, malicious hackers will start scanning for vulnerable endpoints, so the exploitation rate will pick up. Hopefully, it won’t be long before most vendors respond with fixing action, but addressing the problem requires the end user's involvement. Unfortunately, there are millions affected by this flaw. This is why the CERT Coordination Center is now taking part in the effort to communicate the problem widely.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: