CVE-2016-10176

high-risk
Published 2017-01-30

The NETGEAR WNR2000v5 router allows an administrator to perform sensitive actions by invoking the apply.cgi URL on the web server of the device. This special URL is handled by the embedded web server (uhttpd) and processed accordingly. The web server also contains another URL, apply_noauth.cgi, that allows an unauthenticated user to perform sensitive actions on the device. This functionality can be exploited to change the router settings (such as the answers to the password-recovery questions) and achieve remote code execution.

Do I need to act?

!
86.6% chance of exploitation in next 30 days
EPSS score — higher than 13% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
40949
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Netgear

References (10)

Patch http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Sec...
Exploit http://seclists.org/fulldisclosure/2016/Dec/72
Third Party Advisory http://www.securityfocus.com/bid/95867
Exploit https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.t...
https://www.exploit-db.com/exploits/40949/
Patch http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Sec...
Exploit http://seclists.org/fulldisclosure/2016/Dec/72
Third Party Advisory http://www.securityfocus.com/bid/95867
Exploit https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.t...
https://www.exploit-db.com/exploits/40949/
57
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal