Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)

Current Vendor: Belkin
Vendor URL:
Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin)
Systems Affected: Linksys WRT160NL (maybe others)
Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com
CVE Identifier: CVE-2020-26561
Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


The Linksys WRT160NL is a switch device initially owned by Cisco and, after the sale of its respective technology branch, by Belkin. In the latest version of the official firmware, the web server binary contained a buffer overflow vulnerability that could be remotely triggered by requesting an authenticated endpoint.


Successful exploitation of this vulnerability can lead to remote code execution on the affected device.


The mini_httpd binary in the firmware version 1.0.04 build 2 of the Linksys WRT160NL uses the insecure function sprintf when a specific and authenticated POST request is sent.

The vulnerable function is called create_dir and its decompiled code can be checked below.

Decompiled function with Ghidra

The following request was used to trigger this functionality:

POST /apply.cgi;session_id=42ef7c31a24121c858d670e84d0350d9 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1197
Connection: close
Upgrade-Insecure-Requests: 1



Due to the fact that the product is no longer supported, the best option is to update its firmware with an open-source alternative like OpenWRT.

Vendor Communication

  • 23 Sep 2020 – NCC Group contacted Belkin to make them aware of the found vulnerability.
  • 27 Sep 2020 – A new case is created to look into the issue.
  • 05 Oct 2020 – Answer from Belkin explaining that the device is not actively supported.
  • 20 Oct 2020 – Advisory published.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: 20/10/2020
Written by: Diego Gómez Marañón

Call us before you need us.

Our experts will help you.

Get in touch