Thousands of Netgear Wi-Fi routers need to be patched now — here's how

Netgear Nighthawk XR700 Gaming Router
(Image credit: Netgear)

It's time to update your Netgear Wi-Fi router once again. The home-networking-device maker has pushed out security updates for 35 different models of routers, Wi-Fi range extenders and combination modem-routers to fix three flaws discovered by British security firm Immersive Labs.

Two of the Netgear router flaws let an attacker, who already has access to the router's administration interface, hack it to change configuration settings. Those new settings could then be used to create backdoors that would give hackers permanent remote access to the router's controls. 

Once a hacker has control of your router, they can see and control where you go on the internet and can often see what you're receiving and sending. 

To be fair, just getting access to the administration interface in the first place pretty much means game over already, but this is a serious flaw that needs to be fixed nonetheless.

Another Netgear router flaw lets someone on the local network get the router's serial number by querying a specific "port," or network interface. 

Normally, this wouldn't be so bad, but as Immersive Labs researcher Kev Breen explained in a company blog post yesterday (Dec. 2), "this serial number is used as part of the [administrative] password reset function on most Netgear devices."

"This mechanism is supposed to ensure only those with physical access to the device can reset the password," Breen added, because normally the serial number is visible only on a sticker on the  physical device. "Armed with this information, it is now possible for any user on the network to brute-force the password-reset questions."

This less-serious attack require local network access, but that's not as hard to get as it seems for an attacker. Many home-network Wi-Fi access passwords can be guessed or brute-forced. If malware sneaks onto a computer, smartphone, gaming console or smart device in the home by other means, then it will have local network access too.

How to update your Netgear Wi-Fi router's firmware

Updating Netgear routers to the latest firmware depends on the model. Many newer Netgear routers have automatic updates enabled by default, and you'll just need to make sure the feature is turned on. 

With some others, you have to go to the administrative interface and manually check for updates, which the router can then download and install itself. Many of the models affected by these flaws also support the Netgear Nighthawk mobile app, which lets you check for and install router firmware right from your smartphone.

Older models may require a more complicated router-update procedure that involves going to the Netgear support website, entering the router's model number (it's printed on a sticker on the device itself), going to that model's support page, checking for firmware updates, downloading the update file to a Mac or PC, and then uploading the file to the router through the administrative interface.

If you need to go to the Netgear router administrative panel, you can usually reach it at http://198.168.1.1 in a web browser if you're on the router's local network. Some Netgear routers also let you use http://routerlogin.com or http://routerlogin.net.

In general, the username for the Netgear router administrative interface is "admin." You can change that if you like, but it's much more important to make sure that the password for the administrative interface has been changed from the default password. 

Default passwords for most home Wi-Fi routers, whether made by Netgear or not, can easily be found online. Leaving yours as is just makes you a sitting duck for hackers.

While you're in your router's administrative settings, you'll want to go to the "Advanced" part of the interface, then look for "Advanced Setup." Click on UPnP and make sure it's disabled. 

Then click on "Web Services Management" or "Remote Management" and disable that as well. Doing so will remove two common channels of attack that hackers often use to attack routers.

Netgear Wi-Fi routers that need to be updated

Following are two lists of Netgear devices, listed by model number, that need to be updated. The firmware version number listed is the version that fixes these flaws. You can see the version number of the firmware that your own router is running in the top right corner of the administrative interface.

Eighteen Netgear Wi-Fi routers, range extenders and combination modem-routers are vulnerable to the first two flaws above, which lets an attacker change a router's configuration settings. (Both versions of the RAX120 may also be vulnerable to other Wi-Fi router flaws disclosed by different researchers this week.)

DSL Modem Routers

  • D7800 fixed in firmware version 1.0.1.66

Wi-Fi Range Extenders

  • EX2700 fixed in firmware version 1.0.1.68
  • WN3000RPv2 fixed in firmware version 1.0.0.90
  • WN3000RPv3 fixed in firmware version 1.0.2.100

LTE Modem Routers

  • LBR1020 (an Orbi wireless broadband gateway) fixed in firmware version 2.6.5.20

Orbi Wi-Fi Systems

  • LBR20 fixed in firmware version 2.6.5.32

Wi-Fi Routers

  • R6700AX fixed in firmware version 1.0.10.110
  • R7800 fixed in firmware version 1.0.2.86
  • R8900 fixed in firmware version 1.0.5.38
  • R9000 fixed in firmware version 1.0.5.38
  • RAX10 fixed in firmware version 1.0.10.110
  • RAX120v1 fixed in firmware version 1.2.3.28
  • RAX120v2 fixed in firmware version 1.2.3.28
  • RAX70 fixed in firmware version 1.0.10.110
  • RAX78 fixed in firmware version 1.0.10.110
  • XR450 fixed in firmware version 2.3.2.130
  • XR500 fixed in firmware version 2.3.2.130
  • XR700 fixed in firmware version 1.0.1.46

Seventeen Netgear Wi-Fi router models are vulnerable to the third flaw, which makes the device serial number visible.

Wi-Fi Routers

  • AC2100 fixed in firmware version 1.2.0.88
  • AC2400 fixed in firmware version 1.2.0.88
  • AC2600 fixed in firmware version 1.2.0.88
  • D7000 fixed in firmware version 1.0.1.82
  • R6220 fixed in firmware version 1.1.0.110
  • R6230 fixed in firmware version 1.1.0.110
  • R6260 fixed in firmware version 1.1.0.84
  • R6330 fixed in firmware version 1.1.0.84
  • R6350 fixed in firmware version 1.1.0.84
  • R6700v2 fixed in firmware version 1.2.0.88
  • R6800 fixed in firmware version 1.2.0.88
  • R6850 fixed in firmware version 1.1.0.84
  • R6900v2 fixed in firmware version 1.2.0.88
  • R7200 fixed in firmware version 1.2.0.88
  • R7350 fixed in firmware version 1.2.0.88
  • R7400 fixed in firmware version 1.2.0.88
  • R7450 fixed in firmware version 1.2.0.88
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.