I have checked the router setting for port forwarding / triggering, disabled remote management, etc. However the router's login prompt is accessible external using HTTP (not https though). Using http://xxx.xxx.xxx.xx/m/ Any ideas? Critical defect? Thanks

What? That does't make any sense....Having the login prompt for the router exposed to the internet is a serious and significant concern when remote management is off. Not only is it HTTP (which is insecure and easily sniffed) it allows anyone the ability to brute Force the router and gain access over time. That URL should not be accessible from any device anywhere on the internet. It should be blocked by default. I also was able to verify this on a RAX80 router as well.

You are logging into the router not an internet site its not such a concern, its been like this for years. If it was a banking site it would be different but its directly into the machine and with a strong password it is secure. HTTPS would be an improvement never the less.

Straitpipe wrote:Having the login prompt for the router exposed to the internet .... It isn't. See above. "You are logging into the router not an internet site...."

I know where the login is going. Remote management is disabled so access to that URL shouldn't be available remotely....even if it was it should be on ssl...no router makes access to it's admin interface available externally by default. (Cisco, D-Link, etc). That is a very bad practice. That being said and ignoring our differences on secure administration, how do I disable it?

Belive me I am with you on HTTPS, but as far as I know you can't, https works with some models but mostly messes up. I would do what many of us have been doing for years and mention this to netgear and wait for nothing to happen. At the end you can use .com or 198.162.1.* whatever * is, either default or what you have changed it to. For now its the best you will get, and its not considered by Netgear to be a problem... its been the same for years sadly as you can see here.https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Unencrypted-dashboard-Login-No-https/td-p/1380777

RAX120 login exposed? | NETGEAR Communities

22 Replies

Killhippie
Prodigy
Nov 15, 2019
You are logging into the router not an internet site its not such a concern, its been like this for years. If it was a banking site it would be different but its directly into the machine and with a strong password it is secure. HTTPS would be an improvement never the less.
- Straitpipe
  Tutor
  Nov 15, 2019
  What? That does't make any sense....Having the login prompt for the router exposed to the internet is a serious and significant concern when remote management is off. Not only is it HTTP (which is insecure and easily sniffed) it allows anyone the ability to brute Force the router and gain access over time. That URL should not be accessible from any device anywhere on the internet. It should be blocked by default. I also was able to verify this on a RAX80 router as well.
  - michaelkenward
    Guru
    Nov 15, 2019
    Straitpipe wrote:
    Having the login prompt for the router exposed to the internet ....
    
    It isn't. See above.
    
    "You are logging into the router not an internet site...."

Forum Discussion

RAX120 login exposed?