The US Cert/CC has issued a vulnerability notice VU#5824384 covering Netgear R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220 and D7000 routers which are vulnerable to arbitrary command injection. Later AC3200, 5400 and 7200 routers are not affected.
By convincing a user to visit a specially crafted website, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers.
Netgear has issued an advisory and is rolling out firmware updates.
Cert/CC says that enabling remote administration allows affected routers to be exploited via direct requests from the WAN. As such, users are strongly advised to disable remote administration. Netgear’s Web interface has this under the Advanced tab, Advanced Setup, Remote Management – turn it off.