Are Sagemcom Routers Susceptible to the VPNFilter Malware?

I'm renting this router from Spectrum and assuming (hopefully correct) that Spectrum has done something on their end as we can't reset the router to factory default settings.


One thing that's confusing is the name of the malware as it seems to say that routers that have been setup with a VPN are affected.  If you don't use a VPN, can it still affect your router?

Proven Sharer

Re: Are Sagemcom Routers Susceptible to the VPNFilter Malware?

First, these are peer-to-peer forums staffed by customers with experience in the unique technologies of cable systems.  We're not Spectrum employees and have neither any financial interest in nor influence over their management or business practices.  Now lets move to your question at hand:  

Spectrum did not receive any advance information from the device manufacturers, industry trade groups, or government security agencies prior to the public disclosure. 

I doubt that any of the regular forum contributors have detailed information beyond that being widely spread by the trade press.  I have not seen anyone report issues here in the forums that have been identified as or traced to the VPNFilter malware.  Therefore we can't accurately answer your question. 

Lead Moderator

Re: Are Sagemcom Routers Susceptible to the VPNFilter Malware?

Good morning!


Beginning  (today) Thursday, May 31, 2018, Spectrum will conduct a power cycle and firmware upgrades during the maintenance window for all devices managed by Charter on behalf of all customers.   Affected customers may restart their routers if desired through spectrum.net/resetmodem.  Customers who own their router will need to power cycle  their routers manually.



How do I reset/powercycle my wifi router?:
  1. Unplug your router from its power outlet (don't just turn it off).
  2. Wait 15-20 seconds, then plug it back in.
  3. Allow the device a minute or two to turn back on.


Julia R.
Spectrum-Social Media Customer Care
Lead Moderator-Community Forums

Proven Sharer

Re: Are Sagemcom Routers Susceptible to the VPNFilter Malware?

Hard to protect

[Wednesday’s] report is concerning because routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet. While the researchers still don’t know precisely how the devices are getting infected, almost all of those targeted have known public exploits or default credentials that make compromise straightforward. Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.

Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of "some" router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.)

There's no easy way to determine if a router has been infected. It's not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zeroday flaws, which, by definition, device manufacturers have yet to fix.

What this means is that, out of an abundance of caution, users of the devices listed above should do a factory reset as soon as possible, or at a minimum, they should reboot. People should then check with the manufacturer for advice. For more advanced users, the Cisco report provides detailed indicators of compromise and firewall rules that can detect exploits.