Netgear warns users to patch auth bypass, XSS router flaws
Netgear warned customers to update their devices to the latest available firmware, which patches stored cross-site scripting (XSS) and authentication bypass vulnerabilities in several WiFi 6 router models.
The stored XSS security flaw (fixed in firmware version 1.0.0.72 and tracked as PSV-2023-0122) impacts the XR1000 Nighthawk gaming router.
While the company didn't disclose any details regarding this bug, successful attacks exploiting such weaknesses can let threat actors hijack user sessions, redirect users to malicious sites or display fake login forms, and steal restricted information.
They can also perform actions with the compromised user's permissions, an especially dangerous scenario if the user has administrative privileges on the targeted device.
The authentication bypass security bug (fixed in firmware version 2.2.2.2 and tracked as PSV-2023-0138) impacts CAX30 Nighthawk AX6 6-Stream cable modem routers.
Even though Netgear hasn't shared any information regarding this vulnerability either, such flaws are usually tagged as maximum severity since they can provide attackers with unauthorized access to the administrative interface and can result in a complete takeover of the targeted devices.
A Netgear spokesperson was not immediately available to share more details regarding the two security flaws when BleepingComputer reached out earlier today.
How to update your router's firmware
In security advisories published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible."
To download and install the latest firmware for your Netgear router, you have to go through the following steps:
- Visit NETGEAR Support.
- Start by entering your model number in the search box. Then, choose your model from the drop-down menu when it appears.
- If you do not see a drop-down menu, make sure you have entered your model number correctly or select a product category to browse for your product model.
- Click Downloads.
- Under Current Versions, select the first download whose title begins with Firmware Version.
- Click Download.
- To install the new firmware, follow the instructions in your product's user manual, firmware release notes, or product support page.
"NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification," the company added.
Last month, security researchers disclosed half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a popular router among home users and small businesses.
Since this router model reached end-of-life and is no longer supported by Netgear, the company will not release security patches and advised users to replace the router or apply mitigation measures to block potential attacks.
source: BleepingComputer
Free security scan for your website