As far as the Sec Consult researchers know, only TP-Link has released fixes so far. It has a release schedule for around 40 products.
TP-Link, Netgear, D-Link and ZyXEL did not immediately respond to a request for comment.
This vulnerability is just the latest in a long stream of basic security flaws found in consumer routers in recent years.
"It is safe to say that vulnerability reports like these will continue to appear until a paradigm shift is enacted at the manufacturer level," said Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, via email. Holcomb has found many vulnerabilities in routers and other embedded devices over the past several years. Security Evaluators organized a router hacking contest at the DefCon security conference last year.
The way in which vendors have implemented NetUSB in their products is egregious, Holcomb said. "For instance, hardcoded AES keys, the processing of unvalidated and untrusted data, and kernel integration are all red flags that should have been identified during the early stages of SDLC [software development lifecycle]."
Sign up for CIO Asia eNewsletters.