Netgear R6250/R6400/R6700/R7000/R7100LG/R7300/R7900/R8000 V1.0.7.2_1.1.93 URL cross-site request forgery
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.9 | $0-$5k | 0.00 |
A vulnerability was found in Netgear R6250, R6400, R6700, R7000, R7100LG, R7300, R7900 and R8000 V1.0.7.2_1.1.93 (Wireless LAN Software) and classified as critical. This issue affects an unknown code block of the component URL Handler. The manipulation with the input value ;[command] leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is confidentiality, integrity, and availability.
The bug was discovered 12/22/2016. The weakness was disclosed 12/07/2016 by Acew0rm as Netgear R7000 - Command Injection / EDB-ID 40889 as confirmed exploit (Exploit-DB). It is possible to read the advisory at exploit-db.com. The vendor was not involved in the public release. The identification of this vulnerability is CVE-2016-6277 since 07/22/2016. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 04/23/2024). Due to its background and reception, this vulnerability has a historic impact.
A public exploit has been developed by Acew0rm in URL and been published immediately after the advisory. The exploit is available at exploit-db.com. It is declared as highly functional. The vulnerability scanner Nessus provides a plugin with the ID 95823 (NETGEAR Multiple Model cgi-bin RCE), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CGI abuses and running in the context r. The commercial vulnerability scanner Qualys is able to test this issue with plugin 13152 (Netgear Multiple Versions Command Injection Vulnerability). The CISA Known Exploited Vulnerabilities Catalog lists this issue since 03/07/2022 with a due date of 09/07/2022:
Apply updates per vendor instructions. Upgrading eliminates this vulnerability. It is possible to mitigate the problem by applying the configuration setting Disable Webserver. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 2 weeks after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 26275.
The vulnerability is also documented in the databases at Tenable (95823) and Exploit-DB (40889). kb.cert.org is providing further details. The entries VDB-260786, VDB-260787, VDB-260788 and VDB-260789 are pretty similar.
Not Affected
- Netgear D700
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
Video
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.0VulDB Meta Temp Score: 7.9
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Author: Acew0rm
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 95823
Nessus Name: NETGEAR Multiple Model cgi-bin RCE
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 801118
OpenVAS Name: NETGEAR Routers RCE Vulnerability
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
MetaSploit ID: netgear_r7000_cgibin_exec.rb
MetaSploit Name: Netgear R7000 and R6400 cgi-bin Command Injection
MetaSploit File: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Config: Disable Webserver
Workaround: sj-vs.net
Snort ID: 26275
Snort Message: SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt
Snort Class: 🔍
Timeline
07/22/2016 🔍12/07/2016 🔍
12/07/2016 🔍
12/09/2016 🔍
12/12/2016 🔍
12/14/2016 🔍
12/14/2016 🔍
12/16/2016 🔍
12/22/2016 🔍
04/23/2024 🔍
Sources
Vendor: netgear.comAdvisory: Netgear R7000 - Command Injection / EDB-ID 40889
Researcher: Acew0rm
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2016-6277 (🔍)
CERT VU: 🔍
SecurityFocus: 94819 - Multiple Netgear Routers VU#582384 Remote Command Injection Vulnerability
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 12/12/2016 10:48Updated: 04/23/2024 21:05
Changes: 12/12/2016 10:48 (102), 12/12/2016 14:53 (1), 07/10/2019 12:45 (4), 10/05/2022 20:57 (4), 04/23/2024 21:05 (28)
Complete: 🔍
Committer: Simon
Cache ID: 3:C15:103