Thousands of Netgear Wi-Fi routers need to be patched now — here's how

News
By
published

35 different models need urgent updates

Netgear Nighthawk XR700 Gaming Router
(Image credit: Netgear)

It's time to update your Netgear Wi-Fi router once again. The home-networking-device maker has pushed out security updates for 35 different models of routers, Wi-Fi range extenders and combination modem-routers to fix three flaws discovered by British security firm Immersive Labs.

Two of the Netgear router flaws let an attacker, who already has access to the router's administration interface, hack it to change configuration settings. Those new settings could then be used to create backdoors that would give hackers permanent remote access to the router's controls. 

Once a hacker has control of your router, they can see and control where you go on the internet and can often see what you're receiving and sending. 

To be fair, just getting access to the administration interface in the first place pretty much means game over already, but this is a serious flaw that needs to be fixed nonetheless.

Another Netgear router flaw lets someone on the local network get the router's serial number by querying a specific "port," or network interface. 

Normally, this wouldn't be so bad, but as Immersive Labs researcher Kev Breen explained in a company blog post yesterday (Dec. 2), "this serial number is used as part of the [administrative] password reset function on most Netgear devices."

"This mechanism is supposed to ensure only those with physical access to the device can reset the password," Breen added, because normally the serial number is visible only on a sticker on the  physical device. "Armed with this information, it is now possible for any user on the network to brute-force the password-reset questions."

This less-serious attack require local network access, but that's not as hard to get as it seems for an attacker. Many home-network Wi-Fi access passwords can be guessed or brute-forced. If malware sneaks onto a computer, smartphone, gaming console or smart device in the home by other means, then it will have local network access too.

How to update your Netgear Wi-Fi router's firmware

Updating Netgear routers to the latest firmware depends on the model. Many newer Netgear routers have automatic updates enabled by default, and you'll just need to make sure the feature is turned on. 

With some others, you have to go to the administrative interface and manually check for updates, which the router can then download and install itself. Many of the models affected by these flaws also support the Netgear Nighthawk mobile app, which lets you check for and install router firmware right from your smartphone.

Older models may require a more complicated router-update procedure that involves going to the Netgear support website, entering the router's model number (it's printed on a sticker on the device itself), going to that model's support page, checking for firmware updates, downloading the update file to a Mac or PC, and then uploading the file to the router through the administrative interface.

If you need to go to the Netgear router administrative panel, you can usually reach it at http://198.168.1.1 in a web browser if you're on the router's local network. Some Netgear routers also let you use http://routerlogin.com or http://routerlogin.net.

In general, the username for the Netgear router administrative interface is "admin." You can change that if you like, but it's much more important to make sure that the password for the administrative interface has been changed from the default password. 

Default passwords for most home Wi-Fi routers, whether made by Netgear or not, can easily be found online. Leaving yours as is just makes you a sitting duck for hackers.

While you're in your router's administrative settings, you'll want to go to the "Advanced" part of the interface, then look for "Advanced Setup." Click on UPnP and make sure it's disabled. 

Then click on "Web Services Management" or "Remote Management" and disable that as well. Doing so will remove two common channels of attack that hackers often use to attack routers.

Netgear Wi-Fi routers that need to be updated

Following are two lists of Netgear devices, listed by model number, that need to be updated. The firmware version number listed is the version that fixes these flaws. You can see the version number of the firmware that your own router is running in the top right corner of the administrative interface.

Eighteen Netgear Wi-Fi routers, range extenders and combination modem-routers are vulnerable to the first two flaws above, which lets an attacker change a router's configuration settings. (Both versions of the RAX120 may also be vulnerable to other Wi-Fi router flaws disclosed by different researchers this week.)

DSL Modem Routers

  • D7800 fixed in firmware version 1.0.1.66

Wi-Fi Range Extenders

  • EX2700 fixed in firmware version 1.0.1.68
  • WN3000RPv2 fixed in firmware version 1.0.0.90
  • WN3000RPv3 fixed in firmware version 1.0.2.100

LTE Modem Routers

  • LBR1020 (an Orbi wireless broadband gateway) fixed in firmware version 2.6.5.20

Orbi Wi-Fi Systems

  • LBR20 fixed in firmware version 2.6.5.32

Wi-Fi Routers

  • R6700AX fixed in firmware version 1.0.10.110
  • R7800 fixed in firmware version 1.0.2.86
  • R8900 fixed in firmware version 1.0.5.38
  • R9000 fixed in firmware version 1.0.5.38
  • RAX10 fixed in firmware version 1.0.10.110
  • RAX120v1 fixed in firmware version 1.2.3.28
  • RAX120v2 fixed in firmware version 1.2.3.28
  • RAX70 fixed in firmware version 1.0.10.110
  • RAX78 fixed in firmware version 1.0.10.110
  • XR450 fixed in firmware version 2.3.2.130
  • XR500 fixed in firmware version 2.3.2.130
  • XR700 fixed in firmware version 1.0.1.46

Seventeen Netgear Wi-Fi router models are vulnerable to the third flaw, which makes the device serial number visible.

Wi-Fi Routers

  • AC2100 fixed in firmware version 1.2.0.88
  • AC2400 fixed in firmware version 1.2.0.88
  • AC2600 fixed in firmware version 1.2.0.88
  • D7000 fixed in firmware version 1.0.1.82
  • R6220 fixed in firmware version 1.1.0.110
  • R6230 fixed in firmware version 1.1.0.110
  • R6260 fixed in firmware version 1.1.0.84
  • R6330 fixed in firmware version 1.1.0.84
  • R6350 fixed in firmware version 1.1.0.84
  • R6700v2 fixed in firmware version 1.2.0.88
  • R6800 fixed in firmware version 1.2.0.88
  • R6850 fixed in firmware version 1.1.0.84
  • R6900v2 fixed in firmware version 1.2.0.88
  • R7200 fixed in firmware version 1.2.0.88
  • R7350 fixed in firmware version 1.2.0.88
  • R7400 fixed in firmware version 1.2.0.88
  • R7450 fixed in firmware version 1.2.0.88
See more Computing News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Graphic of fibre optic cables attacking code
An estimated 46,000 VPN servers are vulnerable to being hijacked
TP- Link Archer AX55 sitting on desk
This Chinese router company with 65% market share in the US could be banned — what you need to know
A Wi-Fi router next to a phone with a lock symbol on the screen
Massive MikroTik router botnet has been spreading malware – here’s how to stay safe
Surface Laptop 5 open on desk showing Windows 11 desktop
Microsoft just fixed 72 Windows security flaws — update your PC right now
TP- Link Archer AX55 sitting on desk
Best Wi-Fi routers for 2025: Tested and rated
The MSI Roammii BE Lite dual-band mesh Wi-Fi 7 router on a table
Upgrading to Wi-Fi 7 is about to get more complicated — and these new routers are to blame
Latest in Routers
The eero Pro 7 next to the eero Max 7 on a desk
Eero Pro 7 vs Eero Max 7: Which Wi-Fi 7-powered eero mesh system should you buy?
Eero Pro 7 sitting on counter
Eero Pro 7 review: Fast Wi-Fi 7 mesh speeds simplified
Netgear Orbi 873 on desk
Netgear Orbi 870 review: A great Wi-Fi 7 mesh kit for long range performance
TP-Link's Deco BE65-Outdoor Wi-Fi 7 mesh node mounted to a pole at CES 2025
TP-Link’s new outdoor mesh extender will give you true Wi-Fi 7 speeds right in your backyard
The MSI Roammii BE Lite dual-band mesh Wi-Fi 7 router on a table
Upgrading to Wi-Fi 7 is about to get more complicated — and these new routers are to blame
TP- Link Archer AX55 sitting on desk
This Chinese router company with 65% market share in the US could be banned — what you need to know
Latest in News
Former AATIP director Lue Elizondo tells documentary filmmaker Dan Farah we are 'not alone' in new 1hr 49m UFO film "The Age of Disclosure" (2025)
How to watch 'The Age of Disclosure' – can you stream UFO documentary online?
NYTimes Connections
NYT Connections today hints and answers — Monday, March 10 (#638)
A render of the iPhone 17 Pro Max
iPhone 17 Pro Max — this new rumor could push people towards iPhone 17 Air
Isabela Merced as Dina and Bella Ramsey as Ellie in The Last of Us Season 2
New 'The Last of Us' season 2 trailer shows off my favorite moment from 'Part II'
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #372 (Monday, March 10 2025)
apple watch 4
Apple Watch escapes U.S. import ban after court victory in patent case
More about routers
The eero Pro 7 next to the eero Max 7 on a desk

Eero Pro 7 vs Eero Max 7: Which Wi-Fi 7-powered eero mesh system should you buy?
Eero Pro 7 sitting on counter

Eero Pro 7 review: Fast Wi-Fi 7 mesh speeds simplified
NYTimes Connections

NYT Connections today hints and answers — Monday, March 10 (#638)
See more latest
Most Popular
NYTimes Connections
NYT Connections today hints and answers — Monday, March 10 (#638)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #372 (Monday, March 10 2025)
Former AATIP director Lue Elizondo tells documentary filmmaker Dan Farah we are 'not alone' in new 1hr 49m UFO film "The Age of Disclosure" (2025)
How to watch 'The Age of Disclosure' – can you stream UFO documentary online?
A render of the iPhone 17 Pro Max
iPhone 17 Pro Max — this new rumor could push people towards iPhone 17 Air
Isabela Merced as Dina and Bella Ramsey as Ellie in The Last of Us Season 2
New 'The Last of Us' season 2 trailer shows off my favorite moment from 'Part II'
apple watch 4
Apple Watch escapes U.S. import ban after court victory in patent case
samsung galaxy s25 edge mockups at galaxy unpacked 2025
iPhone 17 Air and Samsung Galaxy S25 Edge could get yet another ultra-thin rival
The Action button settings in iOS 18.4 with a Visual Intelligence shortcut for the iPhone 15 Pro
iOS 18.4 adds a crucial Apple Intelligence feature to the iPhone 15 Pro — and it makes your phone more powerful
A woman sleeping on her front, smiling, with a Tom's Guide Sleep Week 2025 logo in the corner of the image
Sleep Awareness Week 2025 is here — how to ‘flourish’ this year through better sleep
Matt Damon in Elysium
4 overlooked sci-fi movies on Netflix you (probably) haven't seen