CVE-2016-6277

Name of the Vulnerable Software and Affected Versions NETGEAR R6250 versions 1.0.4.6.Beta and earlier NETGEAR R6400 versions 1.0.1.18.Beta and earlier NETGEAR R6700 versions 1.0.1.14.Beta and earlier NETGEAR R6900 (affected versions not specified) NETGEAR R7000 versions 1.0.7.6.Beta and earlier NETGEAR R7100LG versions 1.0.0.28.Beta and earlier NETGEAR R7300DST versions 1.0.0.46.Beta and earlier NETGEAR R7900 versions 1.0.1.8.Beta and earlier NETGEAR R8000 versions 1.0.3.26.Beta and earlier NETGEAR D6220 (affected versions not specified) NETGEAR D6400 (affected versions not specified) NETGEAR D7000 (affected versions not specified)

Description The issue is related to insufficient authentication of executed requests, allowing remote attackers to execute arbitrary commands via shell metacharacters in the path info to "cgi-bin/". This can be exploited by sending malicious requests to the vulnerable routers.

Recommendations For NETGEAR R6250 version 1.0.4.6.Beta and earlier, update to version 1.0.4.6.Beta or later. For NETGEAR R6400 version 1.0.1.18.Beta and earlier, update to version 1.0.1.18.Beta or later. For NETGEAR R6700 version 1.0.1.14.Beta and earlier, update to version 1.0.1.14.Beta or later. For NETGEAR R6900, NETGEAR D6220, NETGEAR D6400, and NETGEAR D7000, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For NETGEAR R7000 version 1.0.7.6.Beta and earlier, update to version 1.0.7.6.Beta or later. For NETGEAR R7100LG version 1.0.0.28.Beta and earlier, update to version 1.0.0.28.Beta or later. For NETGEAR R7300DST version 1.0.0.46.Beta and earlier, update to version 1.0.0.46.Beta or later. For NETGEAR R7900 version 1.0.1.8.Beta and earlier, update to version 1.0.1.8.Beta or later. For NETGEAR R8000 version 1.0.3.26.Beta and earlier, update to version 1.0.3.26.Beta or later. As a temporary workaround, consider restricting access to the "cgi-bin/" endpoint until a patch is available.