Security Intelligence
Loading table of contents...
Netgear has addressed two critical vulnerabilities impacting some of its residential and gaming-grade WiFi routers.
Netgear didn’t provide much information on the nature of the vulnerabilities but did admit that the first flaw, tracked as PSV-2023-0039, could lead to remote code execution. The second flaw, tracked as PSV-2021-0117, could lead to authentication bypass. In both cases, the flaws can be exploited in low-complexity attacks which require no user interaction.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The vulnerable Netgear routers include:
- XR1000 (Firmware version 1.0.0.74)
- XR1000v2 (Firmware version 1.1.0.22)
- XR500 (Firmware version 2.3.2.134)
- WAX206 (Firmware version 1.0.5.3)
- WAX220 (Firmware version 1.0.5.3)
- WAX214v2 (Firmware version 1.0.2.5)
Netgear is urging impacted users to update the firmware of their routers as soon as possible.
Source: BleepingComputer
Analysis
The dates in the vulnerability identifiers are interesting, as they imply that these vulnerabilities may have been discovered in 2021 and 2023, but only recently patched. Threat actors would have had a large window to exploit the vulnerabilities and compromise the router if this were the case.
The most likely consequence of these routers being compromised is that they become part of a botnet, or a network of compromised computers, servers, or IoT devices which can be controlled remotely by a threat actor. These infected devices operate without the owner’s knowledge and can be used for various malicious activities, including DDoS attacks to overwhelm and take down websites, spam email campaigns, credential stuffing attacks, data theft, and even cryptojacking (mining cryptocurrency using victims’ computing power).
While not exclusively a Netgear problem, Netgear’s WiFi routers have a history of being co-opted into major botnets including Mozi and Mirai. In 2024, the U.S. government disrupted a botnet operated by the Chinese state-sponsored cyber actor, Volt Typhoon, which consisted of compromised end-of-life Netgear and Cisco routers that the group used as a covert communications channel for its cyber espionage activities.
Residential and gaming-grade WiFi routers make excellent targets for botnet operators because they are often deployed by the end user with default credentials enabled, easily allowing a remote threat actor to log into the device and compromise it. Additionally, a large portion of these routers are not updated regularly, leaving vulnerabilities unpatched for months or years. Lastly, these devices are rarely turned off, thus providing reliable infrastructure for threat actors once they have compromised the device.
It’s unlikely that threat actors’ interest in compromising WiFi routers will diminish soon. Thus, users must regularly update their router’s firmware and change the default credentials which would make it more difficult for threat actors to compromise these devices.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in routers. Field Effect MDR users are automatically notified if a vulnerable router is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of the affected Netgear routers update to the latest version as soon as possible, in accordance with the advisory.
