Home
 » ISP News » 
Sponsored Links

UPDATE Modern NETGEAR Routers Hit by Command Injection Vulnerability

Wednesday, Dec 14th, 2016 (10:48 am) - Score 1,303

Do you own a modern NETGEAR broadband router (i.e. R6200, R6400, R6700, R7000, R7100LG, R7300, R7900 and R8000)? If so then we’ve got bad news because a major security flaw, which was first identified and notified to the manufacturer in August 2016, still hasn’t been completely fixed.

The vulnerability, which has been described as “trivial” for a hacker to exploit, stems from the fact that NETGEAR’s kit doesn’t do a very good job of filtering out remote commands that have been sent via the Internet or even via your own Local Area Network (LAN).

As a result the hacker can easily gain access and then full control of the router, which has all kinds of security and privacy implications for any traffic that goes over your network.

Advertisement

Vulnerability Note VU#582384

Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, R6400, firmware version 1.0.1.12_1.0.11 and possibly earlier, and R8000, firmware version 1.0.3.4_1.1.2 and possibly earlier, contain an arbitrary command injection vulnerability.

By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:

http:///cgi-bin/;COMMAND

An exploit demonstrating these vulnerabilities has been publicly disclosed.

Netgear’s advisory confirms that the R6200, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000 are vulnerable, though affected firmware versions are not enumerated. The vendor has indicated that their advisory will be updated as firmware updates are released.

The new exploit doesn’t require any sort of authentication and can work even when the device’s remote management feature is not visible to the Internet. In essence all the hacker has to do is get you to visit a website and this then runs the code that opens you up to a world of hurt.

Happily a beta firmware update has been released that can fix the issue on most of NETGEAR’s router models, but this doesn’t yet include the slightly older D6220, D6400, R6900 or D7000 series.

Many of the affected routers from NETGEAR are quite modern, particularly the R8000 “Nighthawk” series that has received plenty of glowing reviews. Admittedly any router can suffer from security exploits, although it’s usually much more common for such issues to affect older models (e.g. those that are no longer being supported) than the very latest kit.

A temporary fix does exist for those models that haven’t yet been updated, but it requires a little bit of technical knowledge.

Advertisement

UPDATE 20th Dec 2016

NETGEAR has now released a patch for all of the relevant models.

Tags:
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and .
Search ISP News
Search ISP Listings
Search ISP Reviews

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
100Mbps
Gift: First 3 Months Free
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £23.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £25.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £25.00
100Mbps
Gift: None
Large Availability | View All
Cheap Unlimited Mobile SIMs
Talkmobile UK ISP Logo
Talkmobile £11.95
Contract: 12 Months
Data: 120GB
iD Mobile UK ISP Logo
iD Mobile £16.00
Contract: 24 Months
Data: Unlimited
Smarty UK ISP Logo
Smarty £18.00
Contract: 1 Month
Data: Unlimited
ASDA Mobile UK ISP Logo
ASDA Mobile £19.00
Contract: 24 Months
Data: Unlimited
Three UK ISP Logo
Three £20.00
Contract: 24 Months
Data: Unlimited
Cheapest ISPs for 100Mbps+
Community Fibre UK ISP Logo
100Mbps
Gift: First 3 Months Free
Gigaclear UK ISP Logo
Gigaclear £19.00
300Mbps
Gift: None
toob UK ISP Logo
toob £22.00
150Mbps
Gift: None
Beebu UK ISP Logo
Beebu £23.00
100 - 160Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon