Thousands of Netgear routers are at risk of getting hacked: What to do

Netgear Nighthawk R7000
The Netgear Nighthawk R7000, which has one of the more severe vulnerabilities. (Image credit: Netgear)

Netgear this week has pushed out a passel of patches for its home networking gear, covering seven modem-router gateways, one range extender and 40-odd routers, including some Nighthawk models and Orbi mesh routers and satellites. 

A full list of the affected models is at the end of this story.

The worst of the flaws lets hackers remotely install malware on the Nighthawk X4S gaming router, model R7800. That could lead to the entire Wi-Fi network and all web traffic that runs through it being compromised. Netgear gives that vulnerability a severity score of 9.4/10, which qualifies as "critical."

Almost as bad is a "pre-authentication command injection security vulnerability" on five models, which could also lead to total network takeover. That affects router models R6400v2, R6700, R6700v3, R6900 and  R7900. It gets a "high" severity rating of 8.3/10.

Right behind that is a "post-authentication command injection security vulnerability." The only difference from the previous flaw is that the attacker apparently has to be logged in somehow. 

It gets a "high" rating of 8/10 and affects the D6220, D6400, D7000v2 and D8500 gateways and the R6220, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900, R6900P, R6900v2, R7000, R7000P, R7100LG, R7300DST, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000 and XR500 routers. 

  • A router VPN is the best way to secure your Wi-Fi at home

The less severe flaws  

Moderately dangerous is an "authentication bypass security vulnerability" on 11 routers and gateways and one range extender. Netgear's description of the flaw is pretty vague, but given the 6.8/10, "medium" severity score, it implies that an outside attacker could gain unauthorized access to your home Wi-Fi network. 

That may be a danger to other devices connected to the network, but probably not to the router itself. This flaw affects the D6200 and D7000 modem-routers, the PR2000 Wi-Fi range extender and the R6050, JR6150, R6120, R6220, R6230, R6260, R6700v2, R6800 and R6900v2 routers.

About 20 flaws involve "stored cross-site scripting," which may mean that someone could add unauthorized commands to the router's administrative interface, provided they have the administrative passwords in the first place. We're just guessing here, as Netgear isn't providing details. 

But Netgear has given all these "medium" severity scores of 6/10. There are too many routers affected to list in this paragraph. Suffice it to say if your model appears in the table below, but not in the lists of the more severe flaws above, then it's got one of these cross-site scripting flaws.

Which Netgear router do I have?

Now comes the fun part. Netgear does a terrible job of communicating to its customers exactly what each router's model number actually is. 

Netgear barely uses the actual model numbers in its consumer marketing and packaging, which doesn't help when its customers have to scramble to figure out whether their model needs a security update. 

For example, the R8000P, one of the models that currently has a cross-site-scripting flaw, is marketed as the "AC4000 Nighthawk X6S Tri-Band WiFi Router with MU-MIMO." 

On the Netgear website page for that model, you have to squint to find the model number, or notice that the number is part of the page's URL. Likewise, our own Netgear Nighthawk X6S review doesn't mention the actual R8000P model name.

To make sure which Netgear model you have, turn the device over and look at the sticker on the bottom. The model number should be in the upper left, printed underneath the "NETGEAR" logo.

How to update your Netgear router's firmware

Unfortunately, the update procedures differ among the various models. The Orbis and some of the newer Nighthawks can be patched via their companion smartphone apps. Older models may need to be patched manually by downloading a compressed file to a PC or Mac, then connecting the router or modem-router to the computer.

Easiest:

If your router does have a companion smartphone Netgear app, then please do poke around in that and find out where to update the router's firmware. 

Somewhat less easy:

You can also pop open a web browser on a laptop or PC when you're connected to your home Wi-Fi network and type in "www.routerlogin.net" or "192.168.1.1". That should take you to the local administration interface for the router.

Type in your administrative username and password -- let's hope you didn't leave them on the factory defaults -- then find the Advanced tab, select Administration and then Router Update. Click "Check" and the router will check for an update, after which you can follow the instructions to install it.

Pain in the butt, but you gotta do it if nothing else works:

Alternately, all Netgear customers can go to the Netgear support website, go through a few steps to narrow down the selection to their model, see if there's firmware available, download it to your PC and then, well, find the online user manual for instructions on how to install the firmware.

We wish this was an easier process. Router updates are one of the most critical things you can do to keep your computers, smartphones, gaming consoles, smart-home devices and personal information safe. Someday all router makers will understand that.

All Netgear home networking devices that need to install the March 2020 firmware updates

Modem/routers:

D6200, D6220, D6400, D7000, D7000v2, D7800, D8500

Range extenders:

PR2000

Routers:

JR6150, R6120, R6220, R6230, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900,  R6900P, R6900v2, R7000, R7000P,  R7100LG, R7300DST, R7500v2, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000, RAX120, RBR20 (Orbi), RBS20 (Orbi), RBK20 (Orbi), RBR40 (Orbi), RBS40 (Orbi), RBK40 (Orbi), RBR50 (Orbi), RBS50 (Orbi), RBK50 (Orbi), XR500, XR700

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • DRTMI
    How long does it usually take for them to upload a patch?
    Reply
  • LoreeSelmer
    I have a Nighthawk AC1900 R7000. Based on the article I was expecting to find an updated version of the firmware, but as of this morning there isn't one for this model. Automatic update finds nothing, web site shows that version 1.0.9.88_10.2.88 is the latest version. Netgear oddly does not include a release date in their release notes, the web page for this firmware release is dated 8/15/2019.

    https://kb.netgear.com/000061067/R7000-Firmware-Version-1-0-9-88
    Reply
  • LoreeSelmer
    DRTMI said:
    How long does it usually take for them to upload a patch?
    I don't have a good answer for that, but I created an account with Netgear and registered my product, and they have been sending me firmware update notifications via email. You may also have the option of enabling automatic updates in the router. I have an R7000 and find this option in the Advanced tab under Administration in the Router Update screen.
    Reply
  • AMill
    LoreeSelmer said:
    I have a Nighthawk AC1900 R7000. Based on the article I was expecting to find an updated version of the firmware, but as of this morning there isn't one for this model. Automatic update finds nothing, web site shows that version 1.0.9.88_10.2.88 is the latest version. Netgear oddly does not include a release date in their release notes, the web page for this firmware release is dated 8/15/2019.

    https://kb.netgear.com/000061067/R7000-Firmware-Version-1-0-9-88

    I'm seeing the exact same thing for my R6700v2 - no update found through web interface and the latest firmware from the website matches my version (page last updated 8/22/2019)
    Reply
  • AMill
    LoreeSelmer said:
    I have a Nighthawk AC1900 R7000. Based on the article I was expecting to find an updated version of the firmware, but as of this morning there isn't one for this model. Automatic update finds nothing, web site shows that version 1.0.9.88_10.2.88 is the latest version. Netgear oddly does not include a release date in their release notes, the web page for this firmware release is dated 8/15/2019.

    https://kb.netgear.com/000061067/R7000-Firmware-Version-1-0-9-88
    In the case of my router, I already had the patch (looks like it came out in August 2019). The link here indicates the vulnerability is:

    R7000, running firmware versions prior to 1.0.9.42

    If you are already above that revision (I was on my router) you should be good
    Reply
  • DRTMI
    AMill said:
    In the case of my router, I already had the patch (looks like it came out in August 2019). The link here indicates the vulnerability is:



    If you are already above that revision (I was on my router) you should be good


    Thank you for that.
    Reply
  • Dimme
    I have two netgear R7000 running older firmware V1.0.9.42_10.2.44. I do not upgrade because every newer verson of firmware I make my routers become unstable. I do not use them as routers, I have an Edge Router X, but I do use the nighthawks as my wifi access points, after the Edge router. So am I secure since my traffic is going throught the edge router first?
    Reply
  • pmjm
    R8300 here, and the most recent firmware is from Jan 28, 2019.

    So what are we supposed to do at this point?
    Reply
  • GLComputing
    The latest update for the R8000 seems to be August 2019
    https://www.netgear.com/support/product/r8000.aspx#downloadhttps://kb.netgear.com/000061164/R8000-Firmware-Version-1-0-4-46
    Reply
  • LoreeSelmer
    Just got an email from Netgear about updating my Nighthawk R7000. There is no new firmware release, per email and Netgear web site the latest release is still 1.0.9.88 from July 4 2019.
    Reply