Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Hardware
Tom’s Hardware
Technology
Mark Tyson

Billion Electric 4G/LTE routers patched to plug catastrophic CVSS level 10 severity flaw

Billion M120N.

Several 4G/LTE routers sold by Billion Electric have been found to suffer from a CVSS level 10 severity flaw, which is rarely seen in the wild. Security Online reports that the routers have a very high potential for exploitation. However, Billion has now prepared a range of firmware updates to address these gaping security holes in its networking hardware. Please get an update immediately if you think you may be affected.

Router models, including the M100, M150, M120N, and M500, are vulnerable to the headline CVE-2024-11980. This is a ‘Missing Authentication’ vulnerability that allows “unauthenticated remote attackers to directly access the specific functionality to obtain partial device information, modify the WiFi SSID, and restart the device,” according to TWCert.

(Image credit: cvedetails.com)

That’s the full official description of CVE-2024-11980, but the ‘Missing authentication’ denomination indicates how vulnerable routers with this flaw will have been to threat actors. The attack complexity is low, and the privileges required are none—meaning access was pretty much wide open.

If/when an attacker exploits this flaw, they could obtain sensitive information from the hardware, modify the router SSID, and restart the device. That provides plenty of scope for digital chaos.

CVE-2024-11980 was the biggest but not the only bad flaw affecting these Billion branded routers. We also note that these networking devices suffered from the following:

  • CVE-2024-11981 (CVSSv3 7.5): Authentication Bypass, providing attacker access to arbitrary web pages.
  • CVE-2024-11982 (CVSSv3 7.2): Plaintext Storage of a Password (admin access required to retrieve the test files).
  • CVE-2024-11983 (CVSSv3 7.2): OS Command Injection, allowing remote attackers (with admin privilages) to inject and execute code.

We are happy to see Billion issue the new firmware for the affected range of 4G/LTE router solutions. This is far more user—and eWaste-friendly than offering customers a discount on purchasing a new device, a technique that recently earned D-Link NAS equipment some unfavorable headlines. However, we note that some of the Billion routers affected are current models, which are still at retailers.

Credit goes to Chiao-Lin Yu (Steven Meow) for finding these Billion 4G/LTE router flaws, which users should patch ASAP with fresh firmware.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.