Linksys E2500 and E1200 devices suffered from a command injection vulnerability.
4809215ff6bf7ac34139ad0ed64e0c279221a469257b12c842d63878327b9050
Linksys E2500 and E1200 suffer from missing command injection issue in parental control parameters. This allows an attacker to change the control the device remotely.
Combining the attack of no authorization control, it allows an attacker to actually execute unauthenticated command injection attack and thus control the entire device.
More info at:
http://www.samuelhuntley.com/?p=141
http://www.samuelhuntley.com/?p=135
Initial disclosure date: 04/12/16
Fixed date as per Linksys contact: 7/4/16
Linksys contact: Benjamin Samuels, Calvin Clark (security@linksys.com)