Modem Gateways Are Wide Open: Exploiting EOL Hardware at Scale

TLDR: Recent research presented at DEF CON 2025 exposes a massive, systemic failure in modem security across multiple vendors, including D-Link, Zyxel, and Nokia. By chaining pre-authentication vulnerabilities like hard-coded credentials, path traversal, and insecure UPnP implementations, attackers can achieve full remote code execution on millions of devices. This research highlights the critical danger of end-of-life (EOL) hardware that remains active in both home and industrial environments.

Security researchers often focus on the latest cloud-native vulnerabilities, yet the most dangerous attack surface remains the humble modem sitting on the edge of the network. The recent research from Chiao-Lin Yu (Steven Meow) demonstrates that these devices are not just entry points; they are persistent, unpatchable backdoors into critical infrastructure. When a device reaches its end-of-life (EOL) status, vendors stop issuing patches, but the hardware continues to route traffic for homes, power plants, and emergency services.

The Anatomy of a Modem Compromise

The research focuses on a recurring pattern of failure: vendors treat modems as "set and forget" hardware, leading to insecure default configurations that are rarely audited. The attack surface is surprisingly consistent across manufacturers. Attackers can often bypass authentication entirely by exploiting the Boa Web Server, which has a known history of authentication bypass vulnerabilities, such as CVE-2022-45956.

Once an attacker gains access to the web interface, the path to root is often trivial. In many cases, the device's MAC address is used to derive the administrative password. Since the MAC address is easily discoverable via ARP packets or physical labels, the "secret" credential is effectively public.

For example, on several D-Link models, researchers identified that the config.xgi file could be accessed without authentication, leaking the device configuration and the MAC address. From there, the path to Remote Code Execution (RCE) is straightforward. By leveraging command injection vulnerabilities in functions like ping or traceroute—which are often implemented with insecure string concatenation—an attacker can execute arbitrary shell commands.

# Example of a command injection payload targeting a vulnerable ping function
ping -c 1 '127.0.0.1; cat /etc/passwd'

Chaining Vulnerabilities for Full Control

What makes this research particularly alarming is the chaining of these flaws. An attacker does not need a single "silver bullet" exploit. Instead, they use a combination of Broken Access Control and Injection to escalate privileges.

The research highlights that even when a web interface is "disabled" for the WAN side, the underlying services often remain active. Furthermore, the use of UPnP (Universal Plug and Play) provides an additional, often overlooked, vector. By sending crafted UPnP packets, an attacker can force a factory reset or change the device's SSID without ever needing to log into the web console.

The impact is amplified by the fact that these devices are often interconnected via protocols like MQTT, which is frequently used for remote management. In some cases, researchers found that all devices from a specific vendor shared the same hard-coded MQTT credentials, allowing for mass control of devices across the globe.

The EOL Trap and Supply Chain Negligence

The most frustrating aspect of this research is the vendor response. When researchers reported these flaws to manufacturers like Zyxel and Nokia, the response was almost universally the same: the device is EOL, so no patches will be provided. This creates a dangerous "security debt" where millions of devices remain vulnerable indefinitely.

This is a supply chain failure. Vendors are not maintaining a Software Bill of Materials (SBOM) that would allow them to track which components—like the vulnerable Boa web server—are present in their legacy products. When a vulnerability is found in a shared component, the vendor has no easy way to identify which of their products are affected, leading to the "we don't treat this as a vulnerability" excuse.

What Pentesters Need to Do

If you are performing a penetration test or a red team engagement, stop ignoring the gateway. Treat the modem as a Tier 0 asset. During your reconnaissance, perform a full port scan on the internal network. If you find an open port 5555 (often used for UPnP) or an exposed web interface, you have likely found your entry point.

For defenders, the advice is simple but difficult to implement: replace EOL hardware immediately. If replacement is not possible, isolate these devices behind a firewall that strictly limits access to the management interface. Do not rely on the device's internal "disable WAN access" settings, as these are often broken.

The Modem Security Scanner released by the researchers is a useful starting point for identifying if your own hardware is part of this massive, unpatched attack surface. We need to stop accepting the "it's old hardware" excuse from vendors and start holding them accountable for the security of the devices that form the backbone of our connectivity. If a device is still in use, it must be secure.