PSA: Users of the Linksys Velop Pro 6E and 7 mesh routers should change their passwords and Wi-Fi network names through an external web browser. The two models transmit critical information to outside servers in an insecure manner upon initial installation. New patches have emerged since the issue was discovered, but Linksys hasn't publicly responded to the matter, and it is unclear if the latest firmware leaves sensitive data exposed to interception.

Two Linksys mesh routers send sensitive information to an Amazon server without any encryption, according to Belgian consumer organization Testaankoop. The practice could leave passwords, wireless network IDs, and other information open to Man-in-the-Middle attacks.

Upon testing the company's Velop Pro WiFi 6E and 7 routers, Testaankoop found that, during initial setup, they transmit the user's SSID and password in cleartext to a server in the US. User session access tokens and database identification tokens also appeared in the data packets. Attackers could intercept, read, and change this information without the user or Amazon server knowing.

Owners of either of the two models should change their SSID and password using a browser on a PC or mobile device and not on the accompanying app to prevent the changes from being sent unencrypted. Visit the Linksys support site for directions.

Users should also always keep their router firmware up-to-date. The company's website hosts manual downloads for the affected devices under SKU labels MX6200 for the Wi-Fi 6E router and MBE7000 for the Wi-Fi 7 variant. However, whether the latest patches address the issue remains unclear.

Testaankoop discovered the problem on firmware version 1.0.8 MX6200_1.0.8.215731 for the Wi-Fi 6E version and 1.0.10.215314 for the Wi-Fi 7 device. As of writing, each product has received one firmware update since, but the brief patch notes don't mention bug fixes or security improvements. Owners should regularly check the support site for updates.

More concerning is that Linksys hasn't publicly acknowledged the issue. Testaankoop reported the vulnerability to the company in Belgium and the UK last November with no response. The firmware released after the initial discovery hadn't fixed the problem, and Linksys hasn't contacted Testaankoop since its latest report. The organization speculates that pre-installed third-party software could be the culprit, but only Linksys could confirm this.