Netgear Has 79 Router Models Out There With A Zero Day Exploit That Allows Complete Takeover Of Said Router…. Yikes!!

Netgear has a massive problem on its hands. There is an unpatched zero-day vulnerability exists in 79 Netgear router models that allow an attacker to take full control over vulnerable devices remotely. That makes this a non-trivial issue. Especially in this day and age as most of us are working from home. This was discovered by Adam Nichols of cybersecurity firm Grimm and d4rkn3ss from Vietnam’s VNPT ISC (through Zero Day Initiative). Now Nichols has released a detailed explanation of the vulnerability, a PoC exploit, and scripts to find vulnerable routers. Which means that the bad guys will be using these tools to launch attacks. In fact, it’s a safe bet that this is already happening

Here’s the list of routers that are affected by this exploit:

AC1450
D6220
D6300
D6400
D7000v2
D8500
DC112A
DGN2200
DGN2200v4
DGN2200M
DGND3700
EX3700
EX3800
EX3920
EX6000
EX6100
EX6120
EX6130
EX6150
EX6200
EX6920
EX7000
LG2200D
MBM621
MBR624GU
MBR1200
MBR1515
MBR1516
MBRN3000
MVBR1210C
R4500
R6200
R6200v2
R6250
R6300
R6300v2
R6400
R6400v2
R6700
R6700v3
R6900
R6900P
R7000
R7000P
R7100LG
R7300
R7850
R7900
R8000
R8300
R8500
RS400
WGR614v8
WGR614v9
WGR614v10
WGT624v4
WN2500RP
WN2500RPv2
WN3000RP
WN3100RP
WN3500RP
WNCE3001
WNDR3300
WNDR3300v2
WNDR3400
WNDR3400v2
WNDR3400v3
WNDR3700v3
WNDR4000
WNDR4500
WNDR4500v2
WNR834Bv2
WNR1000v3
WNR2000v2
WNR3500
WNR3500v2
WNR3500L
WNR3500Lv2
XR300

What’s important to note is that I can find no mitigations for this exploit. None. That’ makes this exploit really dangerous. Also, Netgear isn’t planning on patching this entire list of routers that are affected by this. Which means that if you have any of these routers, you are on your own. Which of course is not a good situation. And really reflects poorly on Netgear as they should really not only have better security for their routers, but they should make much more of an effort to better care for their customer base when security issues arise.

Given the scale of the issues, and Netgear’s response to it, I would recommend that you take immediate action by replacing your Netgear router with something other brand of router from a vendor who considers security to be top of mind. That’s what I am doing as I have an R8500 which is on the list. And you should do the same thing. This is not a trivial exploit and it requires a non-trivial response in order to ensure that you are secure.

UPDATE: Thanks for everyone who alerted me that Netgear has just sent out emails to customers. In it it has a a security advisory that details this exploit. And the fact that only TWO of their routers have fixes for this exploit. Netgear says that they will “continue to work on hotfixes for the remaining vulnerabilities and models, which we will release on a rolling basis as they become available.” Whatever that means.

They also have a mitigation for this exploit which is turning off remote management. Here’s how you do it:

  1. On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter.
  2. Enter your admin user name and password and click OK. If you never changed your user name and password after setting up your router, the user name is admin and the password is password.
  3. Once you have logged in successfully, select the ADVANCED tab on the browser screen.
  4. Click on Advanced Setup
  5. Click on Remote Management.
    Note: on some products you may need to click on Web Services Management instead
  6. If the check box for Turn Remote Management On is checked, click on it so that the box is unchecked. Then click Apply to save your changes. 
  7. If the check box for Turn Remote Management On is unchecked, then click Cancel to leave the page as Remote Management is already turned off.

UPDATE #2: Netgear saw my story and sent me this this tweet:

UPDATE #3: Netgear has begun to roll out fixes for this fiasco. More details here.

8 Responses to “Netgear Has 79 Router Models Out There With A Zero Day Exploit That Allows Complete Takeover Of Said Router…. Yikes!!”

  1. For someone without a lot of tech knowledge, will turning off remote management have any impact on using the internet or connecting to my work VPN to work from home? Thank you

  2. I guess I answered my own question as it was already disabled by default on my R7000. Thank you for your post!

  3. […] I reported that Netgear has 79 different router models that are affected by a serious vulnerability that […]

  4. […] I can no longer recommend their products. You can find out about their most recent security issue here, and what I think of that […]

  5. […] seem to be evolving when it comes to the over 70 Netgear routers that are affected by a remote takeover flaw. An issue that Netgear has known about since the start of the year. But didn’t seem to do […]

  6. […] been reporting recently that networking gear maker Netgear has had a massive security #fail where 79 of their router models are affected by a security flaw that allows for the complete takeover of t…. If that isn’t bad enough, exploit code and tools to find these routers out on the Internet […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: