Search
On this page ▾
CVE-2016-6277 — NETGEAR Multiple Routers Remote Code Execution Vulnerability

CVE-2016-6277

NETGEAR R7000/R6400 and Others — Web Interface Command Injection via CSRF Enables Unauthenticated RCE on Home/SMB Routers; Widely Exploited by Botnets
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is NETGEAR Multiple Routers?

NETGEAR is one of the largest home and small business networking equipment vendors globally. The affected router models — including the R7000, R6400, R8000, D6220, D6400, and others — are high-performance 802.11ac (Wi-Fi 5) routers widely deployed in homes and small offices. These routers provide the internet gateway for millions of households and small businesses, controlling all inbound and outbound network traffic, and their embedded Linux web interface manages router configuration.

Embedded consumer router vulnerabilities are among the most persistently exploited device categories: routers are rarely patched, often internet-facing (management interfaces exposed), and provide a privileged network position (all traffic passes through them), making them prime targets for botnet enrollment and traffic interception.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 7, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2016-6277 is a command injection vulnerability in the web management interface of multiple NETGEAR router models. The web interface allows unauthenticated web pages to pass form input directly to the router's command-line interface without adequate sanitization. An attacker who persuades a user to visit a malicious web page (or exploits the vulnerability directly from the LAN) can inject arbitrary OS commands executed with root privileges on the router. Multiple NETGEAR models are affected. NETGEAR released firmware patches; CISA added CVE-2016-6277 to the KEV catalog in March 2022, reflecting widespread ongoing exploitation by botnets.

Affected Versions

NETGEAR Model Status
R6400 Vulnerable (pre-firmware fix)
R7000 Vulnerable (pre-firmware fix)
R8000 Vulnerable (pre-firmware fix)
D6220 Vulnerable (pre-firmware fix)
D6400 Vulnerable (pre-firmware fix)
Additional models See NETGEAR Security Advisory

Check NETGEAR's security advisory for the complete list of affected models and the specific patched firmware version for each.

Technical Details

Root Cause: Command Injection via Web Interface

CVE-2016-6277 is a command injection vulnerability (CWE-352 CSRF vector, with underlying OS command injection) in the NETGEAR router web management interface. The router's embedded HTTP server (httpd) processes form submissions from the web interface and passes form field values directly to shell commands without adequate sanitization. Shell metacharacters in the input break out of the intended command context.

CSRF-based exploitation from external web page: When a user with access to the router's web interface visits a malicious external web page, the page executes JavaScript that sends crafted HTTP requests to the router's LAN IP address (typically 192.168.1.1). Because the browser sends requests to the router's domain from the victim's network context, the router processes these as if they came from a legitimate admin session.

Direct LAN exploitation: An attacker already on the local network can send crafted HTTP requests directly to the router's management interface without requiring CSRF.

Command injection payload: A URL like:

http://192.168.1.1/cgi-bin/;uname$IFS-a

causes the router to execute uname -a as root, confirming command injection. More impactful payloads download and execute botnet malware, modify DNS settings, or create backdoor accounts.

Attack Characteristics

Attribute Detail
Attack Vector Network — via malicious web page (CSRF) or direct LAN request
User Interaction Required for external exploitation (visit malicious page)
Authentication None required
Execution Root-level OS command injection
Affected Models R7000, R6400, R8000, D6220, D6400, others

Discovery

Publicly disclosed by a security researcher on the Kali-NetHunter forum on December 6, 2016; NETGEAR confirmed the vulnerability and began releasing firmware fixes within days.

Exploitation Context

  • Mirai botnet successors: Following the Mirai IoT botnet (which leveraged default credentials), successor botnets targeted known router vulnerabilities including CVE-2016-6277 for recruitment; compromised NETGEAR routers have been enrolled in DDoS botnet networks and used for traffic interception
  • DNS hijacking attacks: Compromised home routers are used for DNS hijacking — modifying the router's DNS settings to redirect users to phishing pages for banking, email, and other services; CVE-2016-6277 provides root access enabling DNS configuration modification
  • Long exploitation tail: Home router vulnerabilities like CVE-2016-6277 remain exploitable for years because consumers rarely update router firmware; CISA's 2022 KEV addition reflects ongoing exploitation six years after disclosure
  • ISP and enterprise edge exposure: Some NETGEAR R-series routers were deployed at small business edge locations with web management interfaces internet-accessible; these configurations expose the management interface directly to attackers without requiring CSRF

Remediation

CISA BOD 22-01 Deadline: September 7, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply the NETGEAR firmware update — download and install the latest firmware for your specific router model from NETGEAR's support site. Verify the firmware version in the router admin panel post-update.

  2. Disable remote management — ensure the router's web management interface is not accessible from the internet (WAN-side). Navigate to router admin → Advanced → Remote Management → Disable.

  3. Replace end-of-life routers — if no firmware fix is available for your specific model, replace the device with a currently supported router. NETGEAR R6400 and R7000 have received firmware updates; check NETGEAR's security advisory for your model's status.

  4. Change the router admin password — use a strong, unique password for router administration to prevent LAN-side exploitation via web interface.

  5. Monitor for DNS hijacking — periodically verify your router's DNS settings match your ISP's or your configured DNS provider; unexpected DNS server addresses may indicate compromise.

Key Details

PropertyValue
CVE ID CVE-2016-6277
Vendor / Product NETGEAR — Multiple Routers
NVD Published2016-12-14
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-352 — Cross-Site Request Forgery (CSRF) find similar ↗
CISA KEV Added2022-03-07
CISA KEV Deadline2022-09-07
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-09-07. Apply updates per vendor instructions.

Timeline

DateEvent
2016-12-06Kali-NetHunter forum researcher publicly discloses NETGEAR command injection vulnerability affecting R7000 and R6400
2016-12-09NETGEAR confirms vulnerability in multiple router models; recommends disabling web management
2016-12-14CVE-2016-6277 published by NVD; NETGEAR begins releasing firmware patches
2022-03-07Added to CISA Known Exploited Vulnerabilities catalog
2022-09-07CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2016-6277 Vulnerability Database
CISA KEV Catalog Entry US Government
NETGEAR Security Advisory — CVE-2016-6277 Multiple Routers Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML