Vulnerability Note VU#582384
Multiple Netgear routers are vulnerable to arbitrary command injection
Netgear R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, and D6400 routers and possibly other models are vulnerable to arbitrary command injection.
R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, and D6400 contain an unauthenticated command injection vulnerability that may be executed directly or via cross-domain requests. Known affected firmware versions include Netgear R7000 version 220.127.116.11_1.1.93, R6400 version 18.104.22.168_1.0.11, and R8000 version 22.214.171.124_1.1.2. Earlier versions may also be affected. The command injection vulnerability has been assigned CVE-2016-6277.
By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:
An exploit demonstrating these vulnerabilities has been publicly disclosed.
Netgear’s advisory indicates that the R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, and D6400 are vulnerable, though affected firmware versions are not enumerated. The vendor has indicated in their advisory that all listed models now have firmware updates available.
By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers.
Apply an update
Netgear has released firmware updates for the affected models specified in their advisory. Users are strongly encouraged to update as soon as possible. For users unable or unwilling to apply a firmware fix, we recommend the following workarounds.
Disable web server
The very vulnerabilities that exist on affected routers may be used to temporarily disable the vulnerable web server until the device is restarted:
Do not enable remote administration
Enabling remote administration allows affected routers to be exploited via direct requests from the WAN. As such, users are strongly advised to leave remote administration disabled, or disable it if is has been enabled previously.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Netgear, Inc.||Affected||09 Dec 2016||11 Dec 2016|
If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Chad Dougherty for alerting us to this vulnerability.
This document was written by Joel Land.
07 Dec 2016
Date First Published:
09 Dec 2016
Date Last Updated:
03 Jan 2017
If you have feedback, comments, or additional information about this vulnerability, please send us email.