cbcvebase.
CVE-2017-6862
published 2017-05-26

CVE-2017-6862: NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
42.70%
98.5th percentile
NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code execution via a buffer overflow that uses a parameter in the administration webapp. The NETGEAR ID is PSV-2016-0261.

Affected

3 ranges
VendorProductVersion rangeFixed in
netgearwnr2000_firmware< 1.0.0.421.0.0.42
netgearwnr2000_firmware< 1.0.0.661.0.0.66
netgearwnr2000_firmware< 1.1.2.141.1.2.14

Detection & IOCsextracted from sources · hover to see the quote

pathunauth.cgi
othertimestamp=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear WNR2000v5 Buffer Overflow Attempt Inbound (CVE-2017-6862)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>1000; content:"unauth.cgi"; fast_pattern; content:"timestamp="; reference:cve,2017-6862; classtype:attempted-admin; sid:2038736; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_09_06, cve CVE_2017_6862, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_08;)
  • Look for inbound HTTP GET requests targeting 'unauth.cgi' with a URI length greater than 1000 bytes, combined with a 'timestamp=' parameter — this pattern is characteristic of the buffer overflow exploitation attempt.
  • The exploit targets the administration webapp of NETGEAR WNR2000 devices (v3, v4, v5) via a parameter-based buffer overflow enabling authentication bypass and remote code execution.
  • ·The Snort/ET rule targets WNR2000v5 specifically in its message, but the vulnerability affects WNR2000v3, v4, and v5 — ensure detection coverage is applied to all three device generations.
  • ·The ET rule is recommended for both Perimeter and Internal deployment, indicating the exploit may be attempted from internal network segments as well.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.