Unauthenticated RCE in Motorola's MR2600 Router
32 points by MrBruh 4 hours ago | 9 comments
bri3d 5 minutes ago
Vendor wise, these were never really made by a “Motorola” -this is a Zoom router (thus the domain) that used the Motorola name under license.
replyThe “old” Motorola router division Motorola Home got sold to Arris _without_ the brand name in 2013, and then the brand name went to Zoom in 2016. Zoom merged with another vendor called Minim, went bankrupt in 2023, and the assets were bought by a company called e2Companies in 2024.
So e2Companies is who the author should email, but good luck. I’m shocked these were even “maintained” until 2024.
VladVladikoff 49 minutes ago
>42 hosts with remote management
reply>vender doesn’t want to fix it
Sometimes I wonder if the white hat hackers who find such a thing should just take it a step further and patch those hosts. Take the firmware, fix those bugs and update those 42 routers.
CrzyLngPwd 34 minutes ago
Probably simpler to brick them, forcing the owners to upgrade to a modern and supported device.
replyitintheory 14 minutes ago
Isn't just as illegal as exploiting them for nefarious purposes? That's a pretty big risk to take to help a few dozen strangers on the Internet. What happens if your fix has an unforeseen interaction with some configuration on a remote system and your actions cause outage or worse?
replynerdsniper 13 minutes ago
That would be “gray hat”. It would be illegal, though it has happened in the past and to my knowledge no one has yet been prosecuted for illegally fixing vulnerabilities.
replyBut it’s definitely not white hat.
binaryturtle 9 minutes ago
Just flash OpenWRT to them? :) (a script could prepare a matching default config)
reply
I wonder how this would hold up in court, couldn't you argue that routers are generally buggy, how can they force any responsibility if they can easily be hacked?