Netgear has fixed two critical vulnerabilities affecting multiple WiFi router models and urged customers to update their devices to the latest firmware as soon as possible.
The security flaws impact multiple WiFi 6 access points (WAX206, WAX214v2, and WAX220) and Nighthawk Pro Gaming router models (XR1000, XR1000v2, XR500).
Although the American computer networking company did not disclose more details about the two bugs, it did reveal that unauthenticated threat actors can exploit them for remote code execution (tracked internally as PSV-2023-0039) and authentication bypass (PSV-2021-0117) in low-complexity attacks that don't require user interaction.
"NETGEAR strongly recommends that you download the latest firmware as soon as possible," the company said in securityadvisories published over the weekend.
The table below lists all vulnerable router models and the firmware versions with security patches.
| Vulnerable Netgear router | Patched firmware version |
| XR1000 | Firmware version 1.0.0.74 |
| XR1000v2 | Firmware version 1.1.0.22 |
| XR500 | Firmware version 2.3.2.134 |
| WAX206 | Firmware version 1.0.5.3 |
| WAX220 | Firmware version 1.0.5.3 |
| WAX214v2 | Firmware version 1.0.2.5 |
To download and install the latest firmware for your Netgear router, you have to go through the following steps:
- Visit NETGEAR Support.
- Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
- If you do not see a drop-down menu, ensure you entered your model number correctly or select a product category to browse for your product model.
- Click Downloads.
- Under Current Versions, select the first download whose title begins with Firmware Version.
- Click Release Notes.
- Follow the instructions in the release notes to download and install the new firmware.
"The unauthenticated RCE vulnerability remains if you do not complete all recommended steps," the company warned on Saturday.
"NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification."
A Netgear spokesperson was not available for comment when contacted by BleepingComputer for more information on the two security flaws.
In July, Netgear also urged customers to update to the latest firmware immediately to patch stored cross-site scripting (XSS) and authentication bypass vulnerabilities impacting several WiFi 6 router models.
One month earlier, security researchers disclosed six flaws of varying severity levels in Netgear WNR614 N300, an end-of-life router popular among home users and small businesses.
Related Articles:
Laravel admin package Voyager vulnerable to one-click RCE flaw
QNAP fixes six Rsync vulnerabilities in NAS backup, recovery app
Over 660,000 Rsync servers exposed to code execution attacks
Apache warns of critical flaws in MINA, HugeGraph, Traffic Control
Apache fixes remote code execution bypass in Tomcat web server
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________