and it's very public now:   http://fortune.com/2016/12/12/netgear-router-models-critical-vulnerability/

Hopefully we see an R7800 FW soon

""  Acew0rm alerted Netgear to the problem on Aug. 25, but never heard back, the researcher told Fortune in a direct message on Twitter. So four months later, Acew0rm took the find public ""

If that doesn't sum up Netgears support (or lack of) with Firmware updates, I don't know what does!

I flashed the beta firmware on my R6400 in the early hours and after some basic testing it seems the issue has been resolved.

I tried 2 different tests, all done in Edge and Firefox.

-Running the reboot command directly: Was prompted for credentials

-Running the reboot command in a tab while another had routerlogin.net logged in: Was prompted for credentials once more

The fact that a fix had come four months after being reported is still ridiculous, but at least I can now remain on stock firmware without jumping to open source solutions.

@SeaSalt Thank you for the confirmation that the beta resolved it. I will forward it to our engineering team your feedback. 

Again, thank you and we appreciate your continued patience as we fix the issue. 

---

@BoDEAN wrote:

Hopefully we see an R7800 FW soon

 

---

The R7800 is not in the list of known affected models that we've verified are affected at this time. Are you running the latest firmware (please confirm the actual version number) and have you checked to see if your system is vulnerable?

@ElaineM Not a problem, I'm glad to hear a fix is on its way.

Hopefully you can nudge the engineering team a bit regarding features that still aren't there (android VPN support, for example).

SeaSalt, I gave up on actual support from netgear and flashed my device with DD-WRT.  At least I get actual support from the OpenSource community...  You would figure that a company who actually makes money on a product would take support of their product more seriously than someone doing the job in their spare time for free... but apparently that is not the case.  I owned the device less than a year and after spending a decent amount of money on it I had to wash my hands of the vendor... talk about disappointing!

@climb74 I agree, I'm incredibly dissapointed with my purchase. There's a lack of support from Netgear and that is unnerving for the price point of these products.

I tried out the open-source solutions, and though the featureset satisfied me, the throughput for wireless and wired was much lower compared to Netgear's stock firmware. I can't jump ship just yet, at least until the open-source community improves the firmware.

@SeaSalt I installed this on, and I get BETTER speed on 2.4G. On 5G no change but there I already got the maximum speed. Also LAN works very well. So no stock roms for me anymore, also because off the poor design and lack of support.

@GinaGerson Thank you for the link, I'll definetly test this out on my R7000 later today.

However there doesn't seem to be a similar solution for my R6400, which resides downstairs. My fingers are crossed for more support from other developers!

But the vulnerbility is to the router's admin UI running on the internal LAN.   Correct me if I am wrong but the UI

is not available to the WAN/Internet IP of the router unless remote administration is turned on?    I'm not saying its not a bad problem just that it seems exploitable only from the LAN (wireless and wired).

I tried limiting the administration to just a small internal IP range and the router would not allow the change saying invalid IP..  perhaps if I had a PC with an internal static IP and I limited the UI to just that single IP?  ( I know linksys allows the

adminUI to run on wired connections only...not so with the netgear).

@RMinNJ It's -among other things- run from a script f.e. from a website you load  on a browser on your pc, that's on your internal network. It's a real threat. 

Yeah, this is the last Netgear product I'll ever buy.

I save my money to finally buy a nice premium router for my home, and this is the kind of treatment I get?

meetloaf we've already released beta firmware for your R7000 with a fix.

Netgear has had since August to address this issue and has done nothing.  Anyone still using stock firmware is being foolhardy, Netgear has shown themselves to be inept and uncaring about their exisitng customer base.  Here is the scoop from Toms Hardware;

http://www.tomshardware.com/news/netgear-critical-security-vulnerability-router,33173.html

Again, I recommend to all R7000 customers that they download and install the Asus-Wrt firmware referenced earlier in this thread.  

Thanks slot Netgear, I like knowing my router just hit its expiration date from every tech news outlet.  Seeing recommendations that I shouldn't use the router from security officials is **bleep**ty when there was an opportunity to fix it

---

@RMinNJ wrote:

But the vulnerbility is to the router's admin UI running on the internal LAN.   Correct me if I am wrong but the UI

is not available to the WAN/Internet IP of the router unless remote administration is turned on?    I'm not saying its not a bad problem just that it seems exploitable only from the LAN (wireless and wired)....

---

Could someone verify this?

I realise that someone could trick me into visiting a web page with a script that executes the commands to give root access etc....

BUT, if I go to only reputable web sites that I have bookmarked and use noscript etc religiously, then is the risk mitigated or reduced substantially?

---

@ScottKitty wrote:

Thanks slot Netgear, I like knowing my router just hit its expiration date from every tech news outlet.

---

There is beta firmware with a fix available for your R7000 with production firmware on the way. Your router has not hit an "expiration date".

Putting an ETA on things like that is always difficult as it's difficult to predict how long QA testing will take. If both no regressions (issues not present in the previous firmware release) are found and included fixes are verified readily then it will be quicker than if we decide that there is more changes needed.

Naturally we are as keen as you for this process to complete as quickly as possible and we will update the advisory when the final version is available.

Thanks for your patience.

---

@Gandolph wrote:

Netgear has had since August to address this issue and has done nothing.

How do you know that? It would be interesting to have evidence.

---

@mdgm wrote:

NETGEAR is aware of the security issue #582384 affecting R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, R8000 routers. Stay updated here: http://kb.netgear.com/000036386/CVE-2016-582384

 

...

---

Please "pin" above link to the top of the page on home routers  https://community.netgear.com/t5/WiFi-Routers/ct-p/home-wifi-routers

 This should be prominently listed on the top of every thread pertaining to the affected devices.