Owners of popular Netgear router models should look into installing firmware updates on their devices as Netgear finished deploying patches for a slew of security issues discovered and reported by US cyber-security firm Trustware.

Trustwave researchers discovered five issues affected 17 Netgear router models, in total, including the company's top-seller —the Nighthawk router series.

All issues were discovered and privately reported in March 2017 via Netgear's bug bounty program. The hardware vendor slowly patched and issued updates for all five flaws during the course of last year.

Trustwave has gone public with its findings last week, in the hopes that users who did not upgrade their router's firmware will now take the time to visit Netgear's site and download firmware updates.

Below is a summary of all the five vulnerabilities, a short description, and lists with the affected router models.

Password Recovery and File Access

This bug requires physical access to the device, but an attacker can insert a USB thumb drive into the router/modem and obtain files from its storage space, including passwords.

Fixes available via Netgear's website here. List of vulnerable products below.

D8500 running firmware versions 1.0.3.27 and earlier

DGN2200v4 running firmware versions 1.0.0.82 and earlier

R6300v2 running firmware versions 1.0.4.06 and earlier

R6400 running firmware versions 1.0.1.20 and earlier

R6400v2 running firmware versions 1.0.2.18 and earlier

R6700 running firmware versions 1.0.1.22 and earlier

R6900 running firmware versions 1.0.1.20 and earlier

R7000 running firmware versions 1.0.7.10 and earlier

R7000P running firmware versions 1.0.0.58 and earlier

R7100LG running firmware versions 1.0.0.28 and earlier

R7300DST running firmware versions 1.0.0.52 and earlier

R7900 running firmware versions 1.0.1.12 and earlier

R8000 running firmware versions 1.0.3.46 and earlier

R8300 running firmware versions 1.0.2.86 and earlier

R8500 running firmware versions 1.0.2.86 and earlier

WNDR3400v3 running firmware versions 1.0.1.8 and earlier

WNDR4500v2 running firmware versions 1.0.0.62 and earlier

Authentication Bypass

An attacker —who can access the router from the Internet or from an internal network— can bypass authentication by adding "&genie=1" in the router's admin panel URL. Trustwave describes this bug as "trivial to exploit."

Fixes available via Netgear's website here. List of vulnerable products below.

D6220, running firmware versions prior to 1.0.0.26

D6400, running firmware versions prior to 1.0.0.60

D8500, running firmware versions prior to 1.0.3.29

R6250, running firmware versions prior to 1.0.4.12

R6400, running firmware versions prior to 1.01.24

R6400v2, running firmware versions prior to 1.0.2.30

R6700, running firmware versions prior to 1.0.1.22

R6900, running firmware versions prior to 1.0.1.22

R6900P, running firmware versions prior to 1.0.0.56

R7000, running firmware versions prior to 1.0.9.4

R7000P, running firmware versions prior to 1.0.0.56

R7100LG, running firmware versions prior to 1.0.0.32

R7300DST, running firmware versions prior to 1.0.0.54

R7900, running firmware versions prior to 1.0.1.18

R8000, running firmware versions prior to 1.0.3.44

R8300, running firmware versions prior to 1.0.2.100_1.0.82

R8500, running firmware versions prior to 1.0.2.100_1.0.82

Post-Authentication Command Injection

An already authenticated attacker can run root-level commands on affected routers and modems via the "device_name" parameter on the lan.cgi page.

Fixes available via Netgear's website here. List of vulnerable products below.

D8500 running firmware versions 1.0.3.28 and earlier

R6400 running firmware versions 1.0.1.22 and earlier

R6400v2 running firmware versions 1.0.2.18 and earlier

R8300 running firmware versions 1.0.2.94 and earlier

R8500 running firmware versions 1.0.2.94 and earlier

R6100 running firmware versions 1.0.1.12 and earlier

Command Injection (Chained Attack)

An attacker can combine an already known CSRF attack and the previous two bugs to run root-level commands without authentication.

Fixes available via Netgear's website here. List of vulnerable products below.

D6220, running firmware versions prior to 1.0.0.26

D6400, running firmware versions prior to 1.0.0.60

D8500, running firmware versions prior to 1.0.3.29

R6250, running firmware versions prior to 1.0.4.12

R6400, running firmware versions prior to 1.01.24

R6400v2, running firmware versions prior to 1.0.2.30

R6700, running firmware versions prior to 1.0.1.22

R6900, running firmware versions prior to 1.0.1.22

R6900P, running firmware versions prior to 1.0.0.56

R7000, running firmware versions prior to 1.0.9.4

R7000P, running firmware versions prior to 1.0.0.56

R7100LG, running firmware versions prior to 1.0.0.32

R7300DST, running firmware versions prior to 1.0.0.54

R7900, running firmware versions prior to 1.0.1.18

R8000, running firmware versions prior to 1.0.3.44

R8300, running firmware versions prior to 1.0.2.100_1.0.82

R8500, running firmware versions prior to 1.0.2.100_1.0.82

Command Injection Vulnerability

This is another flaw that lets attackers run root-level commands, but it's harder to exploit. An attacker must have physical access to the device in order to press the WPS (Wi-Fi Protected Setup) button in order to exploit this flaw.

Fixes available via Netgear's website here. List of vulnerable products below.

R6100 running firmware versions prior to 1.0.1.14

R7500 running firmware versions prior to 1.0.0.110

R7500v2 running firmware versions prior to 1.0.3.16

R7800 running firmware versions prior to 1.0.2.32

EX6200v2 running firmware versions prior to 1.0.1.50

D7800 running firmware versions prior to 1.0.1.22