Netgear moves to plug vulnerability in routers after researchers find zero-day

The findings underscore the challenge of improving security in a market that prizes cheap and functional networking equipment.

A newly discovered software vulnerability could allow hackers to remotely exploit home internet routers, offering a foothold for breaking into the devices running on those networks.

Researchers say the flaw in routers made by Netgear — revealed this week by cybersecurity company GRIMM and Trend Micro’s Zero Day Initiative (ZDI) — underscores the long-running challenge of improving security in a market that prizes affordable and functional networking equipment. Netgear told CyberScoop on Wednesday that it was close to releasing a patch for the vulnerability.

The flaw affects how Netgear devices handle incoming data and could let hackers, under certain conditions, bypass the router’s authentication process using a software exploit. The router could then be a pathway to other devices, such as a laptop housing sensitive work information. (Breaking into the laptop would likely require an additional exploit.)

The findings show how the potential impact of a bug can grow as investigations proceed. Researchers initially singled out two versions of Netgear routers as vulnerable. But Adam Nichols, GRIMM’s principal of software security, said his team found a vulnerable copy of a web server on the router in 79 different Netgear devices. The bug, they say, affects version of Netgear firmware dating to 2007.


“While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind,” Nichols wrote in a blog discussing the vulnerability.

‘A perfect storm’

The surge in telework during the coronavirus pandemic has meant more business data stored on home networks, raising the stakes for the security of those networks.

“With the increased number of people working from home during the pandemic, the wide number of models containing this vulnerability and the lack of exploit mitigations in this vendor’s products have come together in a perfect storm,” Nichols told CyberScoop.

Sandeep Harpalani, vice president of product management at Netgear, said the vendor was preparing to release a patch as well as an advisory on what customers can do to protect themselves. The advisory could come later Wednesday, but the patch has taken longer than expected because of the pandemic, he said.


“It is a top priority, it’s just with the current situation in terms of COVID-19 … it has impacted us, just as it’s impacted everybody else,” Harpalani said. “Debugging has taken much longer than what we would typically expect, but we are still pretty close [to releasing a patch].”

A malicious attacker would first need to gain access to the router to exploit it, Harpalani said, adding that there have been no reports of malicious exploitation.

But Nichols said that in some cases, a hacker wouldn’t need to be on a WiFi network to launch an attack. “Instead, they can serve malicious javascript that causes the user’s browser to launch the attack,” he said.

ZDI researchers say they reported the bug to Netgear in January. They held off for weeks on publishing their analysis so that Netgear could address the issue.  After Netgear requested multiple extensions for releasing a fix, ZDI published their findings on Monday to raise awareness of the bug.

Netgear is not the only router vendor whose code researchers are poring over during the pandemic. Last week, security company Palo Alto Networks revealed six vulnerabilities in routers made by Taiwanese manufacturing D-Link that could allowed hackers to steal passwords and other sensitive data. D-Link issued a patch for the bugs.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts