CVE-2017-5521

What Is NETGEAR Residential and Business Routers?

NETGEAR produces a wide range of residential and small business routers widely deployed as internet gateways in homes, small businesses, and home offices. NETGEAR routers include a web-based management interface for configuration. Router admin credential disclosure is a severe vulnerability class because full router control gives an attacker the ability to redirect DNS (DNS hijacking for credential phishing), intercept unencrypted traffic, create persistent VPN tunnels into the home/office network, and use the router as a persistent foothold or proxy.

Overview

CVE-2017-5521 is a credential disclosure vulnerability affecting multiple NETGEAR router models. The router web management server exposes an admin password recovery endpoint — accessible without authentication — that responds to specially crafted requests by returning the router's admin password in cleartext. An attacker with network access to the management interface can recover the admin password with a single HTTP request. The AC:H rating reflects that exploitation requires specific timing or request conditions to succeed. Discovered by security researcher Simon Kenin and published in January 2017; NETGEAR released firmware updates. CISA added CVE-2017-5521 to the KEV catalog in September 2022.

Affected Versions

Numerous NETGEAR router models — see NETGEAR Knowledge Base article KB30632 for the full affected model list. Models include:

• NETGEAR R8500, R8300, R7000, R6400, R7300DST, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, R8000, R7900, R6200v2, WNDR3400v2, D6220, D6400, and others.

Some models received firmware updates; older end-of-life models may not have received patches.

Technical Details

Root Cause: Unauthenticated Password Recovery Endpoint

CVE-2017-5521 is a sensitive information disclosure vulnerability (CWE-200) in NETGEAR's web management interface. NETGEAR routers include a password recovery feature for users who have forgotten their admin password. The endpoint handling password recovery does not require authentication and, under certain conditions (specific URL patterns or request parameters), returns the admin credentials in the HTTP response body.

Researcher Simon Kenin discovered that by sending a crafted request to the password recovery CGI endpoint (using parameters similar to unauth.cgi or pwdrec.asp depending on model), the router would disclose the cleartext admin password without any authentication.

Attack simplicity: On vulnerable models, a single unauthenticated HTTP GET request to the management interface returns the admin password. Once obtained:

• Router admin access allows full configuration change (DNS hijacking, port forwarding, firewall rules)
• Recovered router admin password often matches passwords used on other services (password reuse)
• Router admin console gives persistent foothold with unrestricted network access

Attack Characteristics

Discovery

Discovered by independent security researcher Simon Kenin and publicly disclosed in January 2017 after coordinating with NETGEAR. NETGEAR released firmware updates and documented affected models in KB30632.

Exploitation Context

• Router DNS hijacking: Threat actors specifically target home and small business routers to modify DNS settings; DNS hijacking redirects banking, email, and VPN connections to attacker-controlled servers for credential phishing
• Persistent network access: Compromised routers provide attacker-controlled network infrastructure inside the target network with high availability — routers run 24/7 and are rarely monitored
• Botnet recruitment: Consumer routers with compromised credentials are recruited into botnets (Mirai and successors) for DDoS capability
• End-of-life devices: Many NETGEAR models affected by CVE-2017-5521 have reached end-of-life; CISA requires disconnecting EOL devices that cannot be patched
• CISA KEV (2022): Added September 8, 2022 alongside several other NETGEAR vulnerabilities reflecting IoT device exploitation campaigns

Remediation

1. Apply NETGEAR firmware updates — check the NETGEAR Knowledge Base article KB30632 for your specific router model and apply the available firmware update. Use the NETGEAR router admin interface (Firmware Update) or download directly from NETGEAR support.

2. Replace end-of-life routers — if your NETGEAR model is end-of-life and no firmware update is available, replace it with a currently supported router model that receives security updates.

3. Disable remote management — ensure the NETGEAR router management interface is not accessible from the internet (WAN side); disable Remote Management in Advanced → Remote Management settings.

4. Change default and current admin password — change the router admin password immediately, even after patching; use a unique, strong password not reused from any other service.

5. Restrict LAN-side management access — consider restricting which LAN hosts can access the router management interface using NETGEAR's access control features to reduce the attack surface even for internal attackers.