Security experts have warned that several models of Netgear routers contain a vulnerability that could allow attackers to take almost total control of the devices. A security researcher going by the alias “Aceworm” discovered the flaw and released its details last week. He claims to have informed Netgear about the issue in August but never heard back.

By tricking users connected to the local Netgear network into clicking on a malicious web link, remote attackers can execute arbitrary shell commands with root privileges on affected routers. The vulnerability is the result of the Web interface failing to filter out unauthorized commands contained in URLs.

Netgear has confirmed the vulnerability is present in the following models:

  • R6250
  • R6400
  • R6700
  • R7000
  • R7100LG
  • R7300
  • R7900
  • R8000

Another security researcher, “Kalypto Pink,” warned in a separate post that other models not listed by Netgear are vulnerable, including the Nighthawk X8 Tri-Band WiFi Router (Model R8500) and Nighthawk X10 Smart WiFi Router (R9000).

In an advisory published on Friday, The U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University said: "Exploiting this vulnerability is trivial.”

"Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available," the organization added.

Netgear says it is still working on a firmware fix for the command injection vulnerability. In the meantime, CERT offers a temporary solution that involves exploiting the flaw in a safe way by issuing a command that disables the router’s web server feature. It can be issued with the following URL:

http://[router_IP]/cgi-bin/;killall$IFS'httpd'

Remember that [router_IP] is replaced with the local IP address assigned to the router. CERT notes that executing this command means the router's web administration will not be available until the device is restarted. 

Netgear is offering a beta version of the firmware fix but warns that it has not been fully tested and might not work for all users. It is currently available for RS6400, RS7000, and R8000 routers, with more models being added today.