Authentication Vulnerability CVE-2021-20090 in Arcadyan-based Routers and Modems

Sicherheit (Pexels, allgemeine Nutzung)[German]Routers and modems from the Taiwan-based manufacturer Arcadyan have a CVE-2021-20090 vulnerability that can be used to bypass authentication. The routers and modems are sold under many trade names by other manufacturers.


The vulnerability was discovered by Tenable and described in this document. The CERT has meanwhile published this security advisory for the vulnerability CVE-2021-20090 as of July 20, 2021.

A path traversal vulnerability (CVE-2021-20090) exists in numerous routers from various vendors that use the Arcadyan-based firmware. This vulnerability allows an unauthenticated user to access sensitive information that is normally protected, and now allows a change to the router configuration.

If this vulnerability is successfully exploited, an attacker can access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens that could be used to make requests to change router settings.

The security researcher who discovered the vulnerability initially assumed it was limited to one router vendor and published his findings, but then discovered the problem exists in Arcadyan-based software used in routers from multiple vendors. Tenable has this list of affected devices:

Vendor Device Found on version
ADB ADSL wireless IAD router 1.26S-R-3P
Arcadyan ARV7519
Arcadyan VRV9517 6.00.17 build04
Arcadyan VGV7519 3.01.116
Arcadyan VRV9518 1.01.00 build44
ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
ASUS DSL-AC3100 1.10.05 build503
ASUS DSL-AC68VG 5.00.08 build272
Beeline Smart Box Flash 1.00.13_beta4
British Telecom WE410443-SA 1.02.12 build02
Buffalo WSR-2533DHPL2 1.02
Buffalo WSR-2533DHP3 1.24
Buffalo BBR-4HG  
Buffalo BBR-4MG 2.08 Release 0002
Buffalo WSR-3200AX4S 1.1
Buffalo WSR-1166DHP2 1.15
Buffalo WXR-5700AX7S 1.11
Deutsche Telekom Speedport Smart 3 010137.
HughesNet HT2000W 0.10.10
KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
KPN VGV7519 3.01.116
O2 HomeBox 6441 1.01.36
Orange LiveBox Fibra (PRV3399)
Skinny Smart Modem (Arcadyan VRV9517) 6.00.16 build01
SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
TelMex PRV33AC
TelMex VRV7006  
Telstra Smart Modem Gen 2 (LH1000) 0.13.01r
Telus WiFi Hub (PRV65B444A-S-TS) v3.00.20
Telus NH20A 1.00.10debug build06
Verizon Fios G3100
Vodafone EasyBox 904 4.16
Vodafone EasyBox 903 30.05.714
Vodafone EasyBox 802 20.02.226

The CERT/CC recommends updating the router to the latest available firmware version. It is also recommended to disable the remote administration services (WAN side) on each SoHo router and also disable the web interface on the WAN.


Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *