• Category: Security
  • Status: confirmed
  • Sources: mrbruh.com write-up, HN discussion
  • Summary: A researcher published 2026-07-13 an unauthenticated remote code execution chain in the Motorola MR2600 router, whose last firmware (v1.0.22, mid-2024) is end-of-life. The chain combines improper SEAMA firmware-image validation in the upload endpoint, an authentication check that runs only after the malicious image is already written to /tmp/firmware.img, and inconsistent URI matching (substring allowlist but exact-match denylist) that bypasses auth through a crafted path such as a query-suffixed login URL. It is reachable from the LAN by default and remotely when remote management is enabled, with about 41 devices exposed at disclosure. Motorola Mobility and Motorola Solutions each disclaimed ownership and no fix was issued. No CVE is assigned.
  • Why it matters: A full pre-auth RCE with no vendor willing to own the product leaves affected routers permanently unpatched, so removal or network isolation is the only mitigation.
  • Follow-up: Watch for a CVE assignment, any vendor reversal or fix, and whether more Motorola-branded OEM models share the firmware code paths.

Send feedback on this story