{
	"id": "49222151-4014-4175-b1d3-aa9c87cc74f8",
	"created_at": "2026-04-06T00:16:13.288679Z",
	"updated_at": "2026-04-10T13:11:26.015783Z",
	"deleted_at": null,
	"sha1_hash": "d19a9b01602253c62c53b69ab1fcbcfa75ac50b7",
	"title": "VPNFilter-affected Devices Still Riddled with 19 Bugs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76626,
	"plain_text": "VPNFilter-affected Devices Still Riddled with 19 Bugs\r\nBy By: Tony Yang, Peter Lee Jul 13, 2018 Read time: 4 min (1059 words)\r\nPublished: 2018-07-13 · Archived: 2026-04-05 17:30:59 UTC\r\nOur IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices,\r\nIP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those\r\nrelated to Mirai, Reaper, and WannaCry.\r\nWe gather our data from the Trend Micro™ Home Network Securityproducts solution and HouseCall™ for Home\r\nNetworksproducts scanner. HouseCall for Home Networks is a free tool that features device recognition and\r\nvulnerability scanning in users' networks and connected devices. Home Network Security is a solution plugged\r\ninto users’ routers that protects connected devices from potential cyberattacks. Our scanning can cover multiple\r\noperating systems, including Linux, Mac, Windows, Android, iOS, and other software development kit (SDK)\r\nplatforms.\r\nThis blog tackles the recently ill-famed VPNFilter malware and if deployed devices are vulnerable to it and other\r\nvulnerabilities. VPNFilter is a newly discovered, multi-stage malware (detected by Trend Micro as\r\nELF_VPNFILT.Aopen on a new tab, ELF_VPNFILT.Bopen on a new tab, ELF_VPNFILT.Copen on a new tab,\r\nand ELF_VPNFILT.Dopen on a new tab) that affects many models of connected devices. Initially reportedopen on\r\na new tab at the tail end of May to have infected at least 500,000 networking devices across 54 countries,\r\nincluding those from Linksys, MikroTik, Netgear, and TP-Link, to steal website credentials and even render\r\ndevices unusable, the malware is now seen targeting more devicesopen on a new tab to deliver exploits and even\r\noverride reboots. The Federal Bureau of Investigation (FBI) has even released a public service announcementopen\r\non a new tab (PSA), warning that it is the work of foreign threat actors looking to compromise networked devices\r\nworldwide.\r\nDifferent brands and models affected by VPNFilter and more\r\nVPNFilter is known to affect over ten brands and 70 models of devices. Our IoT scanning tool can identify other\r\npublicly known vulnerabilities targeting the devices as listed below:\r\nManufacturer Model Device Type\r\nAsus RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, and RT-N66U Routers\r\nD-Link\r\nDES-1210-08P DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000,\r\nand DSR-1000N\r\nEthernet\r\nswitch\r\nRouters\r\nHuawei HG8245 Router\r\nLinksys E1200, E2500, E3000 E3200, E4200, RV082, and WRVS4400N Routers\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities\r\nPage 1 of 4\n\nMikroTik\r\nCCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125,\r\nRB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960,\r\nRB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik,\r\nand STX5\r\nRouters\r\nNetgear\r\nDG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000,\r\nR6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000,\r\nWNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, and UTM50\r\nRouters\r\nQNAP TS251, TS439 Pro, and other QNAP NAS devices running QTS software\r\nNAS\r\ndevices\r\nTP-Link R600VPN, TL-WR741ND, and TL-WR841N Routers\r\nUbiquiti NSM2 and PBE M5\r\nWireless\r\naccess\r\npoints\r\nZTE ZXHN H108N Router\r\nTable 1. Some of the known affected devices by VPNFilter\r\nBased on our data from June 1 to July 12, plenty of the devices are still using old firmware versions. In fact, 19\r\nknown vulnerabilities, not only taken advantage of by VPNFilter but other malware as well, can still be detected\r\nin devices up to this day.\r\nAt the time of our scanning, we observed that 34 percent of home networks had at least one device with a known\r\nvulnerability. We found that 9 percent of vulnerable devices are potentially affected by VPNFilter.\r\nDevice Vulnerabilities Vulnerable Devices/Services\r\nAuthentication Bypass Vulnerability CVE-2015-\r\n7261\r\nQNAP FTP Service\r\nReaper Remote Code Execution CVE-2011-4723 D-Link DIR-300\r\nRemote Code Execution CVE-2014-9583 ASUS RT-AC66U, RT-N66U\r\nReaper OS Command Injection CVE-2013-2678 Linksys E2500\r\nBuffer Overflow Vulnerability CVE-2013-0229\r\nVulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)\r\nStack Overflow Vulnerability CVE-2013-0230\r\nVulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)\r\nRemote Code Execution CVE-2017-6361 QNAP QTS before 4.2.4 Build 20170313\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities\r\nPage 2 of 4\n\nRouter JSONP Info Leak CVE-2017-8877 ASUS RT-AC* and RT-N*\r\nRouter Password Disclosure CVE-2017-5521 Netgear R6400, R7000, R8000\r\nStack Overflow Vulnerability CVE-2012-5958\r\nVulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)\r\nStack Overflow Vulnerability CVE-2012-5959\r\nVulnerable UPnP Service (e.g. Netgear/TP-Link/D-Link)\r\nReaper Router Remote Code Execution D-Link DIR-300\r\nRouter Password Disclosure Netgear WNR2000\r\nRemote Code Execution CVE-2016-6277 Netgear R6400, R7000\r\nRouter Session Stealing CVE-2017-6549 ASUS RT-N66U\r\nOS Command Injection CVE-2013-2679 Linksys E4200\r\nAuthentication Bypass Vulnerability Netgear WNR1000\r\nRouter Password Disclosure Netgear WNR1000\r\nUnauthenticated Router Access Vulnerability TP-Link TL-WR841N\r\nTable 2. 19 vulnerability detections on VPNFilter-affected devices\r\nAs expected, the 19 vulnerabilities primarily affect routers. Interestingly, the Authentication Bypass Vulnerability\r\nCVE-2015-7261, an FTP (File Transfer Protocol) flaw in the QNAP NAS firmware, mostly affects printers based\r\non our detection. While determining the possible reason behind this, we found that many of the detected printers’\r\nFTP could connect to the network without any authentication. In some cases, this may be the printer’s default\r\nconfiguration, but it still poses a potential security risk if the FTP is set as open on the internet.\r\nintel\r\nFigure 1. A Shodan result of an FTP connection to a printer without authentication\r\nThe other vulnerabilities detected, such as the Buffer Overflow CVE-2013-0229open on a new tab and Stack\r\nOverflow CVE-2013-0230open on a new tab, can allow attackers to cause a denial-of-service (DoS) and execute\r\narbitrary code in systems, respectively. Vulnerable UPnP Services detected, moreover, aren’t exclusively\r\nassociated with Netgear/TP-Link/D-Link devices, as other brands could also have the same vulnerability. In that\r\ncase, we can expect more detections.\r\nProtecting devices and networks against VPNFilter malware and other vulnerabilities\r\nThe threat of VPNFilter malware is augmented by the fact that other publicly known vulnerabilities were detected\r\nin the affected devices. Since not all device manufacturers provide immediate fixes for discovered vulnerabilities\r\nand not all users regularly apply patches, users should first secure the way they set up their devices and networks.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities\r\nPage 3 of 4\n\nTrend Micro™ Home Network Securityproducts solution can check internet traffic between the router and all\r\nconnected devices. Our IoT scanning tool has been integrated into the Home Network Security solution and\r\nHouseCall™ for Home Networksproducts scanner. Enterprises can also monitor all ports and network protocols\r\nfor advanced threats and thwart targeted attacks with the Trend Micro™ Deep Discovery™ Inspectorproducts\r\nnetwork appliance.\r\nAside from adopting security solutions that can protect networks and connected devices from the vulnerabilities\r\nthrough the identification and assessment of potential risks, we recommend standard security measures, such as:\r\nUpdating the firmware versions of devices once they’re available to avoid attacks that exploit known\r\nvulnerabilities.\r\nAvoiding the use of public Wi-Fi on devices that are also used in home or corporate networks.\r\nChanging device’s default credentials and using strong passwords to deter unauthorized access.\r\nBeing wary of suspicious URLs or attachments from unknown sources that may lead to infecting devices\r\nconnected to the network.\r\nUsers of the Trend Micro Home Network Securityproducts solution are also protected from particular\r\nvulnerabilities via these rules:\r\n1058981 WEB Directory Traversal -21\r\n1130327 EXPLOIT ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution (CVE-2014-9583)\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities"
	],
	"report_names": [
		"vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434573,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d19a9b01602253c62c53b69ab1fcbcfa75ac50b7.pdf",
		"text": "https://archive.orkl.eu/d19a9b01602253c62c53b69ab1fcbcfa75ac50b7.txt",
		"img": "https://archive.orkl.eu/d19a9b01602253c62c53b69ab1fcbcfa75ac50b7.jpg"
	}
}