[johncolanduoni]

If your home router is compromised (which is what the parent comment was talking about, considering it mentioned CVEs) the attacker who now controls it can easily make connections to devices on your network via the router’s local address.

As for how the router that is theoretically not accepting incoming connections from the internet itself gets compromised in the first place: among other issues some routers can be RCEd by a webpage visited by someone inside the LAN[1]. That’s just one example, you can find tons of these if you search for router vulnerabilities. In practice out of date routers end up in botnets frequently.

It has nothing to do with network operators blocking SMB traffic; the attacker can communicate with the router via whatever C2 mechanism they put in the malware, which probably won’t even involve opening a port on the router. The SMB or what have you to the endpoint would be entirely within the LAN.

[1]: https://www.malwarebytes.com/blog/news/2023/02/arris-vulnera...

[dracotomes]

If the router were compromised, what use would "Having a competent firewall on your residential router" be?

The edit was in response to "network operator's routers [...] don't perform any sort of filtering" and had nothing to do with C2 traffic?

[johncolanduoni]

The original comment I responded to said “There are countless routers in between you and your destination which you can't audit anyway. End devices long since consider the routers to be compromised and have everything verified and encrypted in transit.” My point is that having a home router that does not allow incoming connections to the devices behind it - whether that’s due to compromise or misconfiguration - prevents substantial attacks. It’s hard to call a compromised router a “competent firewall”.