CVE-2017-6862
published 2017-05-26CVE-2017-6862: NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
42.70%
98.5th percentile
NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code execution via a buffer overflow that uses a parameter in the administration webapp. The NETGEAR ID is PSV-2016-0261.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | wnr2000_firmware | < 1.0.0.42 | 1.0.0.42 |
| netgear | wnr2000_firmware | < 1.0.0.66 | 1.0.0.66 |
| netgear | wnr2000_firmware | < 1.1.2.14 | 1.1.2.14 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear WNR2000v5 Buffer Overflow Attempt Inbound (CVE-2017-6862)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>1000; content:"unauth.cgi"; fast_pattern; content:"timestamp="; reference:cve,2017-6862; classtype:attempted-admin; sid:2038736; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_09_06, cve CVE_2017_6862, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_08;)
- →Look for inbound HTTP GET requests targeting 'unauth.cgi' with a URI length greater than 1000 bytes, combined with a 'timestamp=' parameter — this pattern is characteristic of the buffer overflow exploitation attempt. ↗
- →The exploit targets the administration webapp of NETGEAR WNR2000 devices (v3, v4, v5) via a parameter-based buffer overflow enabling authentication bypass and remote code execution. ↗
- ·The Snort/ET rule targets WNR2000v5 specifically in its message, but the vulnerability affects WNR2000v3, v4, and v5 — ensure detection coverage is applied to all three device generations. ↗
- ·The ET rule is recommended for both Perimeter and Internal deployment, indicating the exploit may be attempted from internal network segments as well. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xjjj-92c2-q84f: NETGEAR WNR2000v3 devices before 1
ghsa_unreviewed·2022-05-17
CVE-2017-6862 [CRITICAL] CWE-119 GHSA-xjjj-92c2-q84f: NETGEAR WNR2000v3 devices before 1
NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code execution via a buffer overflow that uses a parameter in the administration webapp. The NETGEAR ID is PSV-2016-0261.
VulnCheck
NETGEAR Multiple Devices Buffer Overflow Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-6862 [CRITICAL] CWE-119 NETGEAR Multiple Devices Buffer Overflow Vulnerability
NETGEAR Multiple Devices Buffer Overflow Vulnerability
Multiple NETGEAR devices contain a buffer overflow vulnerability that allows for authentication bypass and remote code execution.
Affected: NETGEAR Multiple Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/uscert/ncas/alerts/aa22-158a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa22-158a; https://eclypsium.com/blog/vulnerabilities-in-netgear-firmware-based-iot-devices-in-the-enterprise/
Remediation Due: 2022-06-22
CISA
NETGEAR Multiple Devices Buffer Overflow Vulnerability
cisa·2022-06-08·CVSS 9.8
CVE-2017-6862 [CRITICAL] CWE-119 NETGEAR Multiple Devices Buffer Overflow Vulnerability
Vulnerability: NETGEAR Multiple Devices Buffer Overflow Vulnerability
Affected: NETGEAR Multiple Devices
Multiple NETGEAR devices contain a buffer overflow vulnerability that allows for authentication bypass and remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-6862
Remediation Due Date: 2022-06-22
Suricata
ET EXPLOIT NetGear WNR2000v5 Buffer Overflow Attempt Inbound (CVE-2017-6862)
suricata·2022-09-06·CVSS 9.8
CVE-2017-6862 [CRITICAL] ET EXPLOIT NetGear WNR2000v5 Buffer Overflow Attempt Inbound (CVE-2017-6862)
ET EXPLOIT NetGear WNR2000v5 Buffer Overflow Attempt Inbound (CVE-2017-6862)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear WNR2000v5 Buffer Overflow Attempt Inbound (CVE-2017-6862)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>1000; content:"unauth.cgi"; fast_pattern; content:"timestamp="; reference:cve,2017-6862; classtype:attempted-admin; sid:2038736; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_09_06, cve CVE_2017_6862, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_08;)
No public exploits indexed.
http://www.securityfocus.com/bid/98740https://kb.netgear.com/000038542/Security-Advisory-for-Unauthenticated-Remote-Code-Execution-on-Some-Routers-PSV-2016-0261https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_netgear_wnr2000v5_-_cve-2017-6862.pdfhttp://www.securityfocus.com/bid/98740https://kb.netgear.com/000038542/Security-Advisory-for-Unauthenticated-Remote-Code-Execution-on-Some-Routers-PSV-2016-0261https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_netgear_wnr2000v5_-_cve-2017-6862.pdfhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-6862
2017-05-26
Published
2022-06-08
Added to CISA KEV
Exploited in the wild