Thousands of Netgear routers are at risk of getting hacked: What to do
Nearly 50 Netgear models need firmware patches ASAP
Netgear this week has pushed out a passel of patches for its home networking gear, covering seven modem-router gateways, one range extender and 40-odd routers, including some Nighthawk models and Orbi mesh routers and satellites.
A full list of the affected models is at the end of this story.
The worst of the flaws lets hackers remotely install malware on the Nighthawk X4S gaming router, model R7800. That could lead to the entire Wi-Fi network and all web traffic that runs through it being compromised. Netgear gives that vulnerability a severity score of 9.4/10, which qualifies as "critical."
- Best Wi-Fi routers: Keep that home network humming
- How to update your router's firmware: What to do
- PLUS: Coronavirus just canceled one of the biggest events of the year
Almost as bad is a "pre-authentication command injection security vulnerability" on five models, which could also lead to total network takeover. That affects router models R6400v2, R6700, R6700v3, R6900 and R7900. It gets a "high" severity rating of 8.3/10.
Right behind that is a "post-authentication command injection security vulnerability." The only difference from the previous flaw is that the attacker apparently has to be logged in somehow.
It gets a "high" rating of 8/10 and affects the D6220, D6400, D7000v2 and D8500 gateways and the R6220, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900, R6900P, R6900v2, R7000, R7000P, R7100LG, R7300DST, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000 and XR500 routers.
- A router VPN is the best way to secure your Wi-Fi at home
The less severe flaws
Moderately dangerous is an "authentication bypass security vulnerability" on 11 routers and gateways and one range extender. Netgear's description of the flaw is pretty vague, but given the 6.8/10, "medium" severity score, it implies that an outside attacker could gain unauthorized access to your home Wi-Fi network.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
That may be a danger to other devices connected to the network, but probably not to the router itself. This flaw affects the D6200 and D7000 modem-routers, the PR2000 Wi-Fi range extender and the R6050, JR6150, R6120, R6220, R6230, R6260, R6700v2, R6800 and R6900v2 routers.
About 20 flaws involve "stored cross-site scripting," which may mean that someone could add unauthorized commands to the router's administrative interface, provided they have the administrative passwords in the first place. We're just guessing here, as Netgear isn't providing details.
But Netgear has given all these "medium" severity scores of 6/10. There are too many routers affected to list in this paragraph. Suffice it to say if your model appears in the table below, but not in the lists of the more severe flaws above, then it's got one of these cross-site scripting flaws.
- A virtual router can share your VPN connections with other devices
Which Netgear router do I have?
Now comes the fun part. Netgear does a terrible job of communicating to its customers exactly what each router's model number actually is.
Netgear barely uses the actual model numbers in its consumer marketing and packaging, which doesn't help when its customers have to scramble to figure out whether their model needs a security update.
For example, the R8000P, one of the models that currently has a cross-site-scripting flaw, is marketed as the "AC4000 Nighthawk X6S Tri-Band WiFi Router with MU-MIMO."
On the Netgear website page for that model, you have to squint to find the model number, or notice that the number is part of the page's URL. Likewise, our own Netgear Nighthawk X6S review doesn't mention the actual R8000P model name.
To make sure which Netgear model you have, turn the device over and look at the sticker on the bottom. The model number should be in the upper left, printed underneath the "NETGEAR" logo.
How to update your Netgear router's firmware
Unfortunately, the update procedures differ among the various models. The Orbis and some of the newer Nighthawks can be patched via their companion smartphone apps. Older models may need to be patched manually by downloading a compressed file to a PC or Mac, then connecting the router or modem-router to the computer.
Easiest:
If your router does have a companion smartphone Netgear app, then please do poke around in that and find out where to update the router's firmware.
Somewhat less easy:
You can also pop open a web browser on a laptop or PC when you're connected to your home Wi-Fi network and type in "www.routerlogin.net" or "192.168.1.1". That should take you to the local administration interface for the router.
Type in your administrative username and password -- let's hope you didn't leave them on the factory defaults -- then find the Advanced tab, select Administration and then Router Update. Click "Check" and the router will check for an update, after which you can follow the instructions to install it.
Pain in the butt, but you gotta do it if nothing else works:
Alternately, all Netgear customers can go to the Netgear support website, go through a few steps to narrow down the selection to their model, see if there's firmware available, download it to your PC and then, well, find the online user manual for instructions on how to install the firmware.
We wish this was an easier process. Router updates are one of the most critical things you can do to keep your computers, smartphones, gaming consoles, smart-home devices and personal information safe. Someday all router makers will understand that.
All Netgear home networking devices that need to install the March 2020 firmware updates
Modem/routers:
D6200, D6220, D6400, D7000, D7000v2, D7800, D8500
Range extenders:
PR2000
Routers:
JR6150, R6120, R6220, R6230, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900, R6900P, R6900v2, R7000, R7000P, R7100LG, R7300DST, R7500v2, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000, RAX120, RBR20 (Orbi), RBS20 (Orbi), RBK20 (Orbi), RBR40 (Orbi), RBS40 (Orbi), RBK40 (Orbi), RBR50 (Orbi), RBS50 (Orbi), RBK50 (Orbi), XR500, XR700
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.
-
LoreeSelmer I have a Nighthawk AC1900 R7000. Based on the article I was expecting to find an updated version of the firmware, but as of this morning there isn't one for this model. Automatic update finds nothing, web site shows that version 1.0.9.88_10.2.88 is the latest version. Netgear oddly does not include a release date in their release notes, the web page for this firmware release is dated 8/15/2019.Reply
https://kb.netgear.com/000061067/R7000-Firmware-Version-1-0-9-88 -
LoreeSelmer
I don't have a good answer for that, but I created an account with Netgear and registered my product, and they have been sending me firmware update notifications via email. You may also have the option of enabling automatic updates in the router. I have an R7000 and find this option in the Advanced tab under Administration in the Router Update screen.DRTMI said:How long does it usually take for them to upload a patch? -
AMill LoreeSelmer said:I have a Nighthawk AC1900 R7000. Based on the article I was expecting to find an updated version of the firmware, but as of this morning there isn't one for this model. Automatic update finds nothing, web site shows that version 1.0.9.88_10.2.88 is the latest version. Netgear oddly does not include a release date in their release notes, the web page for this firmware release is dated 8/15/2019.
https://kb.netgear.com/000061067/R7000-Firmware-Version-1-0-9-88
I'm seeing the exact same thing for my R6700v2 - no update found through web interface and the latest firmware from the website matches my version (page last updated 8/22/2019) -
AMill
In the case of my router, I already had the patch (looks like it came out in August 2019). The link here indicates the vulnerability is:LoreeSelmer said:I have a Nighthawk AC1900 R7000. Based on the article I was expecting to find an updated version of the firmware, but as of this morning there isn't one for this model. Automatic update finds nothing, web site shows that version 1.0.9.88_10.2.88 is the latest version. Netgear oddly does not include a release date in their release notes, the web page for this firmware release is dated 8/15/2019.
https://kb.netgear.com/000061067/R7000-Firmware-Version-1-0-9-88
R7000, running firmware versions prior to 1.0.9.42
If you are already above that revision (I was on my router) you should be good -
DRTMI AMill said:In the case of my router, I already had the patch (looks like it came out in August 2019). The link here indicates the vulnerability is:
If you are already above that revision (I was on my router) you should be good
Thank you for that. -
Dimme I have two netgear R7000 running older firmware V1.0.9.42_10.2.44. I do not upgrade because every newer verson of firmware I make my routers become unstable. I do not use them as routers, I have an Edge Router X, but I do use the nighthawks as my wifi access points, after the Edge router. So am I secure since my traffic is going throught the edge router first?Reply -
pmjm R8300 here, and the most recent firmware is from Jan 28, 2019.Reply
So what are we supposed to do at this point? -
GLComputing The latest update for the R8000 seems to be August 2019Reply
https://www.netgear.com/support/product/r8000.aspx#downloadhttps://kb.netgear.com/000061164/R8000-Firmware-Version-1-0-4-46 -
LoreeSelmer Just got an email from Netgear about updating my Nighthawk R7000. There is no new firmware release, per email and Netgear web site the latest release is still 1.0.9.88 from July 4 2019.Reply