Critical Netgear Bug Impacts Flagship Nighthawk Router

Dozens of routers are patched by Netgear as it snuffs out critical, high and medium severity flaws.

Netgear is warning users of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to The warnings, posted Tuesday, also include two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low.

The critical vulnerability, tracked by Netgear as PSV-2019-0076, affects the company’s consumer Nighthawk X4S Smart Wi-Fi Router (R7800) first introduced in 2016 and still available today. Netgear is short on details tied to the vulnerability, only urging customers to visit its online support page to download a patch for the bug.

The same R7800 model router is also vulnerable to a high-severity post-authentication command injection flaw, tracked as PSV-2018-0352. In this case, the Nighthawk (R7800) router is vulnerable when running firmware prior to version

The same high-severity command injection flaw (PSV-2018-0352) also exists in 29 other router models within the D6000, R6000, R7000, R8000, R9000 and XR500 family of Netgear hardware. Brands include 20 SKUs of the Wireless AC Router Nighthawk hardware, four of its Wireless AC Routers and four DSL Gateway AC devices.

Netgear is also mum on the technical specifics of how the command injection flaw manifests itself in the routers and gateway devices. Generally, a post-authentication command injection flaw can lead to a number of different attack scenarios including one that allows a hacker to completely compromise a device and gain root privileges.

On Tuesday, Netgear warned of a second high-severity post-authentication command injection flaw impacting five router models within the R6400, R6700, R6900 and R7900 SKUs and that are running specific vulnerable firmware. The security bulletin for the vulnerability is PSV-2019-0051. These model routers typically fall under Netgear’s consumer devices.

Netgear has a long history of patching command injection flaws dating back to 2013 and researched by Zach Cutlip. It was then that Cutlip found a similar vulnerability in Netgear’s WNDR3700v4 router that allowed for an attacker to take control of the hardware. More recently, in 2018 researchers at Fortinet discovered that Netgear R8000 model router also had a post-authentication command injection flaw tied to its CGI Handler.

Netgear is urging customers to visit its online support page and search by device model for the most recent firmware to update and patch their devices.

Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles


  • Jim on

    I wonder if the same flaws exist on routers that had their firmware replaced by DD-WRT, OpenWRT or Tomato?
  • Cirtis Wardwell on

    How would a person update these routers.
  • Mike t on

    Go to their site go to support than look up your router model download the latest firmware and follow the instructions for manual upsarw
  • Bill on

    Did you read the article "Netgear is urging customers to visit its online support page and search by device model for the most recent firmware to update and patch their devices."
  • Sam on

    Command injection is a software bug, when you flash to the install WRT, it’s a different firmware, you should check if they have the same vulnerabilities or others for that matter
  • Brando on

    I don't own a computer but I have to have one to update my router... Come on guys. I didn't even need one to set it up. Give me control over that on my nighthawk app.
  • Brian H on

    Just get a computer already ya dumb hunk! Why would you not have a computer?
  • Scott on

    I have been having issues with all of my electronics in my home network using one of the routers in this article. Does anyone have an idea what might show up in the logs for MacBook if it were compromised? It never sleeps, if I am using the computer it’s fine. But, if I get up to say grab a drink or something the computer almost immediately starts closing applications and is trying to shut itself down.
  • Zorodik on

    Regarding WNDR3700 SERIES V1-3 (I have 3 of these), does one presume that they don't have the vulnerability or that Netgear can't patch v1-3. Firmware has not been updated in years.
  • Anonymous on

    For the dd-wrt question, if these can be patched via software I doubt they would carry over to an aftermarket firmware unless explicitly based on netgears own source like some of the Asus (Merlin?) do.
  • Brian on

    Seems like there firmware is sketchy at that.i have bricked my r-7000 doing a firmware update.
  • Kirk on

    I wonder if the fix for this will fix the issue where some SSL sites and videos are blocked. I have to run several versions back on my r7000 or I can't reach some bank sites and some videos from secure sites wont load.
  • Chris on

    DD-WRT should be patched, but it all depends on what build (Kong-Brainslayer) and build number you're running ... but if you're running aftermarket firmware, doing your research is probably not a big deal.
  • Howard Worf on

    Mine has bricked as well. Can't even log on to the admin account

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.