Netgear this week has pushed out a passel of patches for its home networking gear, covering seven modem-router gateways, one range extender and 40-odd routers, including some Nighthawk models and Orbi mesh routers and satellites.
A full list of the affected models is at the end of this story.
The worst of the flaws lets hackers remotely install malware on the Nighthawk X4S gaming router, model R7800. That could lead to the entire Wi-Fi network and all web traffic that runs through it being compromised. Netgear gives that vulnerability a severity score of 9.4/10, which qualifies as "critical."
- Best Wi-Fi routers: Keep that home network humming
- How to update your router's firmware: What to do
- PLUS: Coronavirus just canceled one of the biggest events of the year
Almost as bad is a "pre-authentication command injection security vulnerability" on five models, which could also lead to total network takeover. That affects router models R6400v2, R6700, R6700v3, R6900 and R7900. It gets a "high" severity rating of 8.3/10.
Right behind that is a "post-authentication command injection security vulnerability." The only difference from the previous flaw is that the attacker apparently has to be logged in somehow.
It gets a "high" rating of 8/10 and affects the D6220, D6400, D7000v2 and D8500 gateways and the R6220, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900, R6900P, R6900v2, R7000, R7000P, R7100LG, R7300DST, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000 and XR500 routers.
- A router VPN is the best way to secure your Wi-Fi at home
The less severe flaws
Moderately dangerous is an "authentication bypass security vulnerability" on 11 routers and gateways and one range extender. Netgear's description of the flaw is pretty vague, but given the 6.8/10, "medium" severity score, it implies that an outside attacker could gain unauthorized access to your home Wi-Fi network.
That may be a danger to other devices connected to the network, but probably not to the router itself. This flaw affects the D6200 and D7000 modem-routers, the PR2000 Wi-Fi range extender and the R6050, JR6150, R6120, R6220, R6230, R6260, R6700v2, R6800 and R6900v2 routers.
About 20 flaws involve "stored cross-site scripting," which may mean that someone could add unauthorized commands to the router's administrative interface, provided they have the administrative passwords in the first place. We're just guessing here, as Netgear isn't providing details.
But Netgear has given all these "medium" severity scores of 6/10. There are too many routers affected to list in this paragraph. Suffice it to say if your model appears in the table below, but not in the lists of the more severe flaws above, then it's got one of these cross-site scripting flaws.
- A virtual router can share your VPN connections with other devices
Which Netgear router do I have?
Now comes the fun part. Netgear does a terrible job of communicating to its customers exactly what each router's model number actually is.
Netgear barely uses the actual model numbers in its consumer marketing and packaging, which doesn't help when its customers have to scramble to figure out whether their model needs a security update.
For example, the R8000P, one of the models that currently has a cross-site-scripting flaw, is marketed as the "AC4000 Nighthawk X6S Tri-Band WiFi Router with MU-MIMO."
On the Netgear website page for that model, you have to squint to find the model number, or notice that the number is part of the page's URL. Likewise, our own Netgear Nighthawk X6S review doesn't mention the actual R8000P model name.
To make sure which Netgear model you have, turn the device over and look at the sticker on the bottom. The model number should be in the upper left, printed underneath the "NETGEAR" logo.
How to update your Netgear router's firmware
Unfortunately, the update procedures differ among the various models. The Orbis and some of the newer Nighthawks can be patched via their companion smartphone apps. Older models may need to be patched manually by downloading a compressed file to a PC or Mac, then connecting the router or modem-router to the computer.
If your router does have a companion smartphone Netgear app, then please do poke around in that and find out where to update the router's firmware.
Somewhat less easy:
You can also pop open a web browser on a laptop or PC when you're connected to your home Wi-Fi network and type in "www.routerlogin.net" or "192.168.1.1". That should take you to the local administration interface for the router.
Type in your administrative username and password -- let's hope you didn't leave them on the factory defaults -- then find the Advanced tab, select Administration and then Router Update. Click "Check" and the router will check for an update, after which you can follow the instructions to install it.
Pain in the butt, but you gotta do it if nothing else works:
Alternately, all Netgear customers can go to the Netgear support website, go through a few steps to narrow down the selection to their model, see if there's firmware available, download it to your PC and then, well, find the online user manual for instructions on how to install the firmware.
We wish this was an easier process. Router updates are one of the most critical things you can do to keep your computers, smartphones, gaming consoles, smart-home devices and personal information safe. Someday all router makers will understand that.
All Netgear home networking devices that need to install the March 2020 firmware updates
D6200, D6220, D6400, D7000, D7000v2, D7800, D8500
JR6150, R6120, R6220, R6230, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900, R6900P, R6900v2, R7000, R7000P, R7100LG, R7300DST, R7500v2, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000, RAX120, RBR20 (Orbi), RBS20 (Orbi), RBK20 (Orbi), RBR40 (Orbi), RBS40 (Orbi), RBK40 (Orbi), RBR50 (Orbi), RBS50 (Orbi), RBK50 (Orbi), XR500, XR700
I'm seeing the exact same thing for my R6700v2 - no update found through web interface and the latest firmware from the website matches my version (page last updated 8/22/2019)
If you are already above that revision (I was on my router) you should be good
Thank you for that.
So what are we supposed to do at this point?