The vulnerability, labeled VU#582384 by Carnegie Mellon University’s CERT, allows “arbitrary command injection” on Netgear’s R7000 and R6400 routers (using firmware 188.8.131.52_1.1.93 and 184.108.40.206_1.0.4 respectively). According to CERT, it’s possible that earlier firmware for these two routers are also susceptible to attacks.
The attack is carried out by enticing a user to visit a specially made website, after which commands are issued to the router. The routers can also be directly exploited via a LAN connection by entering in the following address: http://<router_IP>/cgi-bin/;COMMAND.
Twitter user Acew0rm posted a proof of concept for the Netgear exploit in the video below:
Acew0rm explains that he first contacted Netgear over four months ago about the exploit, and never once heard a response from the company. So, the hacker took matters into his own hands by making the vulnerability public. “I’ve forgot about this because I thought this was very stupid. I didn’t think it was going to this big and I thought they were going to instantly patch it.”
According to CERT, there is currently no “practical solution” for the exploit given that Netgear never bothered to respond to Acew0rm. Users of the R8000, R7000 and R6400 are encouraged to stop using the routers immediately until Netgear can remedy the problem with a firmware update.
While it might not be feasible for you to discontinue use of your router right now, we’d highly suggest that you be careful of sites that you visit during the mean time and register your router with Netgear so that you can automatically be notified about new firmware updates.