HeadlinesBriefing favicon HeadlinesBriefing.com

Unauthenticated RCE Found in Motorola MR2600 Router

Hacker News •
×

A researcher uncovered an unauthenticated remote code execution chain in Motorola's MR2600 Wi‑Fi 5 router (firmware v1.0.22, released mid‑2024). By extracting the firmware and analyzing CGI and SOAP handlers, the attacker discovered that the fwupload endpoint accepts a raw SEAMA image without proper multipart parsing, allowing a malicious firmware file to be written to /tmp/firmware.img without authentication.

The second stage exploits a flawed authentication check in the Load Firmware Validation SOAP API. The router’s allowlist/denylist logic uses substring matching for allowed paths but requires an exact match for the denylisted "/WEBCGI1/" path. By appending an allowlisted string as a query parameter, the request bypasses the check, triggers the validation routine, and invokes the mtd_write command to flash the uploaded image. No cryptographic signing is required, so any attacker can craft a valid SEAMA image.

The exploit works from any LAN host and, if remote management is enabled, from the internet. Shodan currently lists 41 exposed MR2600 units. Prior research by Exodus Intelligence reported related command‑injection and auth‑bypass bugs, but details remain behind a paywall. The researcher attempted responsible disclosure with Motorola, encountering conflicting responses from Motorola Mobility and Motorola Solutions.