Millions of Netgear routers need security updates right away — what you need to do

Netgear Nighthawk RAXE500 review
(Image credit: Netgear)

Got a Netgear router? I do, and like yours, mine probably needs to be patched right away.

That's because the enterprising folks at D.C.-area security firm Grimm have found yet another very serious Netgear flaw, as detailed in a report Nov. 16. This comes (relatively) hot on the heels of the previous bunch of Netgear security updates back in September of this year. 

This time around, Netgear lists more than 40 different models of routers, range extenders and a couple of other devices, from models nearly a decade old to brand-new models on our list of the best Wi-Fi routers, that need to install firmware updates to protect themselves from total hacker takeover.

Unfortunately, nearly 40 other Netgear models may not get any updates, as many of them are already too old to get any further support. 

We've got a list of all the affected models at the end of this story. All together, we're looking at about 80 different models of Wi-Fi routers, Wi-Fi range extenders, DSL gateways and other devices. The number of affected individual units has to be at least several hundred thousand, and may be in the low millions.

How to update your Netgear router's firmware

The newer your Netgear router is, the easier it is to update the firmware. Netgear's Orbi mesh routers generally update themselves, and they also have a companion smartphone app that you can use to check for and to install updates. 

Netgear's Nighthawk routers also have a companion app, although using it is optional for at least some models, as is the automatic-update setting. With some Nighthawks, it's generally best to go into the administrative interface (try "http://192.168.1.1/admin" or "routerlogin.net" while connected to your home network) and check the "Advanced" section for firmware updates. From there, you should be able to launch the update sequence.

If the above methods don't work with your Netgear router, then you need to go to Netgear support at https://www.netgear.com/support/ and type in the model number of your router in the search filed at the top of the page. (We've got more instructions here on how to update your router's firmware.)

However, the model number may not be obvious. Some routers come with their branding and specifications proudly listed on the box, such as "Nighthawk AXE11000 Tri-Band WiFi 6E." But that's not the model name, which is actually "RAXE500." (That's the router in the photo at the top of this story, and it does need to be patched.)

Look for a sticker on the router itself displaying the model number — it may be on the side or on the bottom. To further complicate things, Netgear sometimes changes the inner circuits of a router while leaving the exterior the same during the production lifespan, so you may see a "v2" or "v3" appended to the model number.

Once you have the model number, the search function on the Netgear support site should take you to that model's support page. Scroll down the page to find "Firmware and Software Downloads" and click it. 

You'll then see a button that will let you download the firmware update to your PC or Mac. Do that, but don't forget to click the Release Notes link just below it, which in turn will lead you to a link that leads to a downloadable version of your router's user manual, which will show you how to install the firmware update. The firmware update itself may come with its own instructions.

So what is this Netgear flaw that's being fixed?

The fatal flaw in all of these models involves a stack-overflow vulnerability in the Universal Plug and Play component of the router firmware. The flaw is catalogued as CVE-2021-34991 and is listed as applying to only one specific router with a specific firmware version, which got an update on Sept. 16. But the problem is much more widespread than that.

Universal Plug and Play,  or UPnP for short, is a protocol that lets new devices, such as gaming consoles or printers, connect to routers without a lot of fuss. It turns out that a character limit in one function of the UPnP protocol on these Netgear routers permits an attacker on the local network — i.e., already linked to your router as a regular user — to send a malicious command to the router that overrides the routers internal safeguards and gives the router total control without any kind of authorization.

Once that's done, the attacker can pretty much see anything you do online, and can also send you to malicious websites or break into more devices on your network.

You may think that it's enough to just keep intruders out of your network to prevent such an attack, but it's not that hard to crack a Wi-Fi network access password or to sneak malicious software onto a poorly secured device, such as an out-of-date computer or a smart-home device.

Suffice it to say that you want to install the Netgear firmware update on your router tout suite — if you can.

Netgear routers with firmware patches available

Here's a list, copied from the Netgear website, of the models that have firmware updates or "hot fixes" available to fix this flaw, along with the most recent firmware version that they should be updated to.

Routers:

  •     R6400 fixed in firmware version 1.0.1.76
  •     R6400v2 fixed in firmware version 1.0.4.120
  •     R6700v3 fixed in firmware version 1.0.4.120
  •     R6900P fixed in firmware version 1.3.3.142_HOTFIX
  •     R7000 fixed in firmware version 1.0.11.128
  •     R7000P fixed in firmware version 1.3.3.142_HOTFIX
  •     R7100LG fixed in firmware version 1.0.0.72
  •     R7850 fixed in firmware version 1.0.5.76
  •     R7900P fixed in firmware version 1.4.2.84
  •     R7960P fixed in firmware version 1.4.2.84
  •     R8000 fixed in firmware version 1.0.4.76
  •     R8000P fixed in firmware version 1.4.2.84
  •     R8300 fixed in firmware version 1.0.2.156
  •     R8500 fixed in firmware version 1.0.2.156
  •     RAX15 fixed in firmware version 1.0.4.100
  •     RAX20 fixed in firmware version 1.0.4.100
  •     RAX200 fixed in firmware version 1.0.5.132
  •     RAX35v2 fixed in firmware version 1.0.4.100
  •     RAX38v2 fixed in firmware version 1.0.4.100
  •     RAX40v2 fixed in firmware version 1.0.4.100
  •     RAX42 fixed in firmware version 1.0.4.100
  •     RAX43 fixed in firmware version 1.0.4.100
  •     RAX45 fixed in firmware version 1.0.4.100
  •     RAX48 fixed in firmware version 1.0.4.100
  •     RAX50 fixed in firmware version 1.0.4.100
  •     RAX50S fixed in firmware version 1.0.4.100
  •     RAX75 fixed in firmware version 1.0.5.132
  •     RAX80 fixed in firmware version 1.0.5.132
  •     RAXE450 fixed in firmware version 1.0.8.70
  •     RAXE500 fixed in firmware version 1.0.8.70
  •     RS400 fixed in firmware version 1.5.1.80
  •     WNDR3400v3 fixed in firmware version 1.0.1.42
  •     WNR3500Lv2 fixed in firmware version 1.2.0.70
  •     XR300 fixed in firmware version 1.0.3.68

DSL Modem Routers:

  •     D6220 fixed in firmware version 1.0.0.76
  •     D6400 fixed in firmware version 1.0.0.108
  •     D7000v2 fixed in firmware version 1.0.0.76
  •     DGN2200v4 fixed in firmware version 1.0.0.126

Wi-Fi extenders:

  •     EX3700 fixed in firmware version 1.0.0.94
  •     EX3800 fixed in firmware version 1.0.0.94
  •     EX6120 fixed in firmware version 1.0.0.66
  •     EX6130 fixed in firmware version 1.0.0.66

AirCards:

  •     DC112A fixed in firmware version 1.0.0.62

Cable Modems:

  •     CAX80 fixed in firmware version 2.1.3.5

Netgear models that may or may not get a firmware update

Here's a list of Netgear models that the Grimm team determined were vulnerable to these attacks, but which Netgear hasn't specifically listed as getting patches for this flaw. The firmware version numbers listed below ARE vulnerable, according to Grimm. 

Unfortunately, there are models on Netgear's list of patches that aren't on Grimm's list of vulnerable devices. And there are models on Grimm's list that aren't on Netgear's list, yet have received security patches in the last few months that pushed the firmware versions beyond the vulnerable ones listed below, so they may actually have available patches for this flaw. 

To complicate things further, there are six models that Grimm says are not vulnerable because past firmware updates "broke" UPnP for them. Four of those — D6220, D6400, R6400 and R7000 — are on Netgear's list of patched models. Two others, D8500 and R6300v2, are not, and the only available firmware updates for them are the vulnerable ones listed below.

The best thing to do, if you have one of the models listed below, is to follow the procedures above about checking to see if a firmware update is available for your model on the Netgear support site. 

If the available firmware update has a version number later than what's below, then you may be getting a patch for the above flaw, especially if the release note for the flaw has a date in the past few months. Go ahead and install the update.

But if the version number of the available firmware update matches the firmware number below, and the release-note date is more than a few months old, then it might be time to get a new router.

  • AC1450 - 1.0.0.36
  • D6300 - 1.0.0.102
  • D8500 - 1.0.3.60
  • DGN2200M - 1.0.0.35
  • DGND3700v1 - 1.0.0.17
  • EX3920 - 1.0.0.88
  • EX6000 - 1.0.0.44
  • EX6100 - 1.0.2.28
  • EX6150 - 1.0.0.46
  • EX6920 - 1.0.0.54
  • EX7000 - 1.0.1.94
  • MVBR1210C - 1.2.0.35BM
  • R4500 - 1.0.0.4
  • R6200 - 1.0.1.58
  • R6200v2 - 1.0.3.12
  • R6250 - 1.0.4.48
  • R6300 - 1.0.2.80
  • R6300v2 - 1.0.4.52
  • R6700 - 1.0.2.16
  • R6900 - 1.0.2.16
  • R7300DST - 1.0.0.74
  • R7900 - 1.0.4.38
  • WGR614v9 - 1.2.32
  • WGT624v4 - 2.0.13
  • WNDR3300v1 - 1.0.45
  • WNDR3300v2 - 1.0.0.26
  • WNDR3400v1 - 1.0.0.52
  • WNDR3400v2 - 1.0.0.54
  • WNDR3700v3 - 1.0.0.42
  • WNDR4000 - 1.0.2.10
  • WNDR4500 - 1.0.1.46
  • WNDR4500v2 - 1.0.0.72
  • WNR834Bv2 - 2.1.13
  • WNR1000v3 - 1.0.2.78
  • WNR2000v2 - 1.2.0.12
  • WNR3500 - 1.0.36NA
  • WNR3500v2 - 1.2.2.28NA
  • WNR3500L - 1.2.2.48NA
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.