Router Security Advisory: Realtek SDK miniigd : Authentication Bypass - Remote Code Execution Vulnerability
Overview:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of a router with select Realtek SDKs. Authentication is not required to exploit this vulnerability. The specific flaw exists within the miniigd SOAP service.
References:
Discovered by Ricky "HeadlessZeke" Lawshae
Zero Day Initiative Disclosure: Click here (hyperlink to: http://www.zerodayinitiative.com/advisories/ZDI-15-155/)
Update Date: 5/4/2015
Affected TRENDnet Products
NOTE: TRENDnet routers with a Realtek chipset, which TRENDnet currently offers, are NOT affected by the published vulnerability. No action is required for related routers.
| Model | Hardware Version(s) | Firmware Versions | New Firmware to Fix Exploit |
| TEW-651BR | V1.0 V2.0 | V2.04b01 and older | Available June 12, 2015 |
| TEW-652BRP | V1.0 V2.0 V3.0 | V3.03b01 and older | Available June 12, 2015 |
| TEW-711BR | V1.0 | V1.02b05 and older | Now Available |
| TEW-731BR | V1.0 | V1.02b05 and older | Now Available |