CSRF/LocalFile/XSS product Vulnerability

Question

Netgear CM600, I was wondering if the CSRF / LocalFile / XSS product vulnerability has been fixed yet?I bought one and it has firmware version&nbsp;V1.&nbsp;01.05

mediatrek · Answer

v1.01.05 has that vulnerability. It was first reported by Netgear in&nbsp;late Fall&nbsp;2015. In December 2015 Netgear started giving fixed firmware to some cable MSO's (Comcast first if I recall). I am on Time Warner Cable (now Spectrum), and that MSO three months ago JUST approved the Netgear patched firmware for the CM600 (on TWC/Spectrum that is v1.01.12). Sadly the policy for my cable MSO is they no longer push firmware updates to consumer-owned modems, even if there are known security vulnerabilities. &nbsp;

dallascowboyswo · Answer

I checked and the current firmware for other ISPs is &nbsp;V1.01.06 . I use Suddenlink. I contacted Suddenlink twice and they stated they could not update the firmware. On the 3rd time the Tech said he attempted to update the firmware but when I rebooted I still had&nbsp;v1.01.05 So they were unable to update my firmware. Should I be concerned. Has the latest firmware been pushed to Suddenlink?

DarrenM · Answer

Here is the KB to the latest firmwares via ISP

https://kb.netgear.com/000036375/What-s-the-latest-firmware-version-of-my-NETGEAR-cable-modem-or-modem-router?cid=wmt_netgear_organic

DarrenM

dallascowboyswo · Answer

DarrenMYes that is the KB I saw and that I &nbsp;was referring to that got me started on the quest to redeem my firmware. Any idea if this has been pushed to Suddenlink, which is my ISP.

dallascowboyswo · Answer

After not being able to resolve this issue via Netgear or my ISP Technical support I returned the product and bought an Arris Surfboard SB6190.

Forum Discussion

CSRF/LocalFile/XSS product Vulnerability

5 Replies