Security researcher Troy Mursch, writing in in Bad Packets, has reported that 33 models have been affected by the vulnerability. They also share if their default passwords have been changed or not and this has affected between 21,401 and 25,617 vulnerable routers online, 4,000 of which were still using their default passwords. Linksys, however claim it fixed the flaw in 2014 can't replicate the flaw.
The attack can be done by visiting an exposed router's internet address and running a device list request and it supposedly works whether or not the router's firewall is on. Mursch told Ars Technica,
"While [this flaw] was supposedly patched for this issue, our findings have indicated otherwise," says Bad Packets. "Upon contacting the Linksys security team, we were advised to report the vulnerability... After submitting our findings, the reviewing analyst determined the issue was 'not applicable/won't fix' and subsequently closed." It can also include device names like "William's iPhone" plus whether the device is a Mac, PC, iOS or Android device. The combination of a MAC address and Linksys Smart Wi-Fi routers' public IP address can mean that hackers could geo-locate or track "William," claims Mursch.
Linksys were quick to respond, " We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique. JNAP commands are only accessible to users connected to the router’s local network.
We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled."
Bad Packets have released a complete list of the Linksys router models reportedly affected and the region these routers are from. 440 of the affected devices are from the UAE.
Nevertheless it's prudent that Linksys users update their firmare and ensure their device firewalls are active, as this could expose it to attackers.