Linksys Confirms Router-Targeted 'TheMoon' Malware, Promises Firmware Fixes in Weeks Ahead

Hot on the heels of a 'TheMoon' exploit proof-of-concept being released, Linksys has both confirmed its existence, and also offers up some initial guidance.

'TheMoon' is a self-replicating piece of malware that targets a wide-range of Linksys routers, all of which can utilize a remote access feature. If this feature is enabled, a vulnerability effectively activates that allows someone to bypass the router's authentication system in order to gain access to its admin panel. On the flipside, if this feature is disabled (its official name is "Remote Management Access"), then this vulnerability simply won't exist.

Linksys itself hasn't prepared a list of affected models (yet), outside of stating that it involves older E and N routers, but an exploit writer who looked into official TheMoon files extracted this list:

E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N

It's important to note that the above list might not be complete, and it might also include models which are not affected. Still, if you happen to use any aging Linksys router and have made use of the remote access feature, TheMoon is worth being cautious about.

Linksys has stated that firmware updates for all affected products is in the works, although it will be a couple of weeks before they hit its support site.

Addendum: Belkin has reached out to us to provide an official statement:

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.