Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Many NETGEAR Routers Leak Admin Passwords

NETGEAR has released firmware updates for many of its routers after an expert discovered that they are affected by serious vulnerabilities that can be exploited to obtain the administrator password for the user interface.

NETGEAR has released firmware updates for many of its routers after an expert discovered that they are affected by serious vulnerabilities that can be exploited to obtain the administrator password for the user interface.

Trustwave researcher Simon Kenin started analyzing NETGEAR routers nearly one year ago, when he was too lazy to get out of bed to perform a cold reboot of his router, and instead attempted to reboot it from its web interface. Since he had forgotten the password, he started looking for ways to remotely hack the device.

The researcher discovered a couple of exploits from 2014 that could be used to obtain a NETGEAR router’s login password via the unauth.cgi and passwordrecovered.cgi script files. Experts had previously demonstrated that a numeric password recovery token provided by unauth.cgi can be used in a request to passwordrecovered.cgi to obtain the device’s username and password in clear text.

Passwordrecovered.cgi is related to a password recovery feature present in NETGEAR routers. If the password recovery feature is disabled, which is the default setting, the current password can be obtained by sending a request to passwordrecovered.cgi with the correct recovery token.

Kenin noticed that the old exploits still worked, but he also discovered a new variant of this authentication bypass flaw. He determined that the token is not checked properly on the very first request after a reboot of the device, allowing an attacker to obtain the password by passing any data to passwordrecovered.cgi, not necessarily a correct token.

The vulnerabilities, tracked as CVE-2017-5521, can be exploited by an attacker with access to the local network or from the Internet if the remote administration feature, which is disabled by default, is enabled on the device.

NETGEAR was informed about the vulnerabilities in April 2016. The vendor released an initial advisory in June, but only workarounds were made available at the time.

The latest version of the advisory shows that NETGEAR has released security updates for 20 affected routers, but there are still a dozen models and firmware versions that remain unpatched. For devices that don’t have a firmware fix available, the manufacturer recommends manually enabling the password recovery feature – the exploits do not work if this feature is enabled – and disabling remote management.

Trustwave has identified more than 10,000 vulnerable devices that are remotely accessible. However, considering that NETGEAR is one of the top router manufacturers and has a significant market share, experts believe hundreds of thousands and possibly even more than one million routers could be affected.

“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” Kenin said in a blog post. “With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well.”

NETGEAR recently announced the launch of a bug bounty program, with rewards of up to $15,000 per vulnerability. The decision to launch the program came after several researchers complained about how the company handled vulnerability disclosures.

UPDATE. NETGEAR has provided SecurityWeek the following statement:

NETGEAR is aware of the vulnerability (CVE-2017-5521), that has been recently publicized by TrustWave. This is not a new or recent development. We have been working with the security analysts to evaluate the vulnerability. NETGEAR has published a knowledge base article from our support page, which lists the affected routers and the available firmware fix.

Firmware fixes are currently available for the majority of the affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for the model and visit the firmware release page for further instructions. For devices that are still pending final firmware updates, please follow the advised work around.

Please note that this vulnerability occurs when an attacker can gain access to the internal network or when remote management is enabled on the router. Remote management is turned off by default; although remote management can turned on through the advanced settings. 

NETGEAR does appreciate and value having security concerns brought to our attention. We constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

Related: Netgear Starts Patching Critical Router Flaw

Related: Serious Flaws Found in Netgear, NUUO Network Video Recorders

Related: Remotely Exploitable 0-Day Impacts NETGEAR WNR2000 Routers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.