Various models of Netgear routers have been found to have a critical security flaw that lets hackers take over the devices and remotely run code on them. The vulnerability is easy to exploit and the list of affected Netgear routers is growing. Here's are all the Netgear routers that have been found to carry the security bug and a possible workaround.
Last week, a security researcher by the name of AceW0rm exposed the vulnerability which was initially found to affect Netgear R8000, R7000 and R6400 routers. The critical bug would allow an attacker to execute arbitrary commands with root privileges by tricking users into visiting a specially crafted website, according to US Computer Emergency Readiness Team (US-CERT). All R800 routers are affected. R7000 routers with firmware version 126.96.36.199_1.1.93 and R6400 devices running firmware version 188.8.131.52_1.0.4 and possibly earlier are vulnerable.
Another researcher called Kalypto Pink has since discovered the bug exists on other routers from the vendor as well. Here's the full list.
- NetGear AC1750-Smart WiFi Router (Model R6400)
- NetGear AC1900-Nighthawk Smart WiFi Router (Model R7000)
- NetGear AC2300-Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
- NetGear AC2350-Nighthawk X4 AC 2350 Dual Band WiFi Router (Model R7500)
- NetGear AC2600-Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
- NetGear AC3200-Nighthawk AC3200 Tri-Band WiFi Router (Model R8000)
- NetGear AC5300-AC5300 Nighthawk X8 Tri-Band WiFi Router (Model R8500)
- NetGear AD7200-Nighthawk X10 Smart WiFi Router (R9000)
The list may grow as more routers are analysed.
Netgear was reportedly informed of the bug months ago. The vendor has yet to release a patch for the vulnerability.
US-CERT has recommended that users stop using routers that are known to be affected.
There is a way to directly exploit the bug locally: "A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting: http:///cgi-bin/;COMMAND."
You can temporarily prevent this attack by killing your router's web server with the following command:
http:///cgi-bin/;killall$IFS’httpd‘. But this will leave your router's web admin interface disabled until you reboot the device.