Nearly 80 Netgear routers have a major security flaw and half won't be patched

(Image credit: Netgear)
Audio player loading…

Netgear has decided not to issue a firmware update to 45 of its nearly 80 router and gateway models affected by a remote code execution vulnerability that was disclosed at the end of June. Left unpatched, a hacker could effectively bypass the login credentials and take control of the router.

The prospect of having an attacker root around inside a router with unfettered access to settings is unsettling, to say the least. Fortunately, Netgear has issued patches addressing the flaw to 34 affected models, but unfortunately the other 45 models will never get an update because they are listed as being "outside [the] security support period."

Two security researchers working at different firms discovered the flaw, as reported by ZDNet (opens in new tab) in June. One of them is Adam Nichols, head of the Software Application Security team at Grimm, a cybersecurity outfit in Arlington, Virginia, and the other goes by d4rkness and works for Vietnamese ISP VNPT.

Both published their findings through Trend Micro's Zero Day Initiative (opens in new tab) (ZDI) program, which alerted the vulnerability to Netgear back in January. ZDI typically gives companies 90 days to issue security patches to discovered vulnerabilities before going public. In this case, Netgear had asked was granted an extension until mid-June, but its request for a second extension until the end of June was denied.

Nichols posted a proof-of-concept on GitHub (opens in new tab), and also outlined the technical details of the flaw in a blog post (opens in new tab). In short, the flaw resides in the web server component of affected models, which is tied to the built-in administration panel, and can be exploited locally or remotely.

Cut the cord...

(Image credit: Steelseries)

Best wireless gaming mouse (opens in new tab): ideal cable-free rodents
Best wireless gaming keyboard (opens in new tab): no wires, no worries
Best wireless gaming headset (opens in new tab): top untethered audio

"Netgear has provided firmware updates with fixes for all supported products previously disclosed by ZDI and Grimm. The remaining products included in the published list are outside of our support window. In this specific instance, the parameters were based on the last sale date of the product into the channel, which was set at three years or longer," Netgear said a a statement (via Tom's Guide (opens in new tab)).

Some of the unpatched routers go back to 2007, while others are more recently. These are not necessarily based on ancient standards, either. A few of them are Wi-Fi 5 (802.11ac) models, like the R7300DST pictured up top.

You can view a full list of affected models on Netgear's related support page (opens in new tab). If you own of the models that is not going to be patched, you should consider upgrading (check out our roundup of the best gaming routers (opens in new tab)). Otherwise, you may want to disable the Remote Management feature (see your router's manual for instructions) to at least protect against remote attacks of this nature.

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).