CVE-2016-5638

Name of the Vulnerable Software and Affected Versions Netgear WNDR4500 firmware version V1.0.1.40 1.0.6877

Description A remote attacker can access certain web pages associated with the genie app without authentication. Specifically, accessing genie ping.htm, genie ping2.htm, or genie ping3.htm pages redirects to the aCongratulations2.htma page, which reveals sensitive information, including the 2.4GHz and 5GHz Wireless Network Name (SSID) and Network Key (Password) in clear text.

Recommendations For Netgear WNDR4500 firmware version V1.0.1.40 1.0.6877, consider restricting access to the genie app web pages, specifically genie ping.htm, genie ping2.htm, and genie ping3.htm, until a patch is available. As a temporary workaround, avoid using the genie app when away from home to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.