CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-306: Missing Authentication for Critical Function, and CWE-352: Cross-Site Request Forgery (CSRF) R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, and D6400 contain an unauthenticated command injection vulnerability that may be executed directly or via cross-domain requests. Known affected firmware versions include Netgear R7000 version 1.0.7.2_1.1.93, R6400 version 1.0.1.12_1.0.11, and R8000 version 1.0.3.4_1.1.2. Earlier versions may also be affected. The command injection vulnerability has been assigned CVE-2016-6277.



By convincing a user to visit a specially crafted web site, a remote, unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. An unauthenticated, LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:



http://<router_IP>/cgi-bin/;COMMAND



An exploit demonstrating these vulnerabilities has been publicly disclosed.



Netgear's advisory indicates that the R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, and D6400 are vulnerable, though affected firmware versions are not enumerated. The vendor has indicated in their advisory that all listed models now have firmware updates available.