A serious security vulnerability has been uncovered in Arcadyan routers, stemming from the unexpected presence of Wi-Fi Alliance’s testing software in production devices.

Security researchers have identified a command injection flaw (CVE-2024-41992) that could allow attackers to gain complete control over affected routers.

Vulnerability Details

The problem is with the Wi-Fi Test Suite, a tool that the Wi-Fi Alliance developed for certification testing. This software, never intended for production use, was found deployed on commercial Arcadyan router models, specifically the FMIMG51AX000J.

According to security experts, successful exploitation of this vulnerability could have severe consequences:

• Complete administrative control over affected routers
• Ability to modify system configurations
• Potential disruption of network services
• Possible compromise of network data
• Risk of service outages for connected users

Security researchers have found that the Wi-Fi Test Suite, a development tool created by the Wi-Fi Alliance for certification testing, was unexpectedly present on commercial Arcadyan router models, specifically the FMIMG51AX000J.

The issue lies in the tool’s susceptibility to command injection attacks. Attackers can exploit the vulnerability and gain complete control over the devices by sending specially crafted packets to the affected routers.

The Wi-Fi Test Suite listens on TCP ports 8000 and 8080, accepting TLV (Type-Length-Value) packets. Researchers discovered that by manipulating these packets, they could inject malicious commands and achieve remote code execution.

The vulnerability enables unauthorized local attackers to execute commands with root privileges by sending specially crafted network packets to affected devices.

Successful exploitation of this vulnerability grants attackers full administrative access to the affected routers. With this level of control, attackers can modify system configurations, disrupt network services, and potentially compromise the security of all connected devices and users.

Researchers discovered alternatives to overcome the short input length that some functions accepted during initial attempts to exploit the vulnerability.

By targeting functions that accept larger inputs, such as the “wfaTGSendPing” function, attackers can inject more complex commands and achieve their malicious goals.

Noam Rathaus from SSD Disclosure made the initial discovery, and Timur Snoke at CERT/CC documented it