Unauthenticated RCE in Motorola’s MR2600 Router
I’m currently on a quest to find at least one Remote Code Execution vulnerability per router vendor. This is the story of how I found an unauthenticated RCE in Motorola’s MR2600 router.
The first problem I had to solve was acquiring the firmware. For the majority of their routers, Motorola doesn’t distribute the firmware publicly; instead, it is only ever distributed via over-the-air updates.
The first exception to this rule that I could find was the Motorola MR2600. It was a Wi-Fi 5 router, with the last firmware update (v1.0.22) released in mid-2024.
https://help.motorolanetwork.com/kb/mr2600/mr2600-software-updates
With the firmware downloaded, I extracted the filesystem and started digging through the router’s CGI scripts and SOAP handlers to see how a legitimate manual update actually worked.
It turned out to be a two-step process: upload the image, then trigger a validation-and-flash routine. As I’d soon discover, both steps were supposed to require authentication but didn’t.
Uploading the Malicious Firmware
In the router firmware, you can find a reference to a fwupload endpoint:
POST /WEBCGI1/prog.fcgi?method=/cgi-bin/fwupload.cgi
... continue reading