Search
On this page ▾
CVE-2017-6334 — NETGEAR DGN2200 Devices OS Command Injection Vulnerability

CVE-2017-6334

NETGEAR DGN2200 — Authenticated OS Command Injection via dnslookup.cgi Enables Root RCE; EOL — Disconnect; HIGH 8.8
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is NETGEAR DGN2200?

The NETGEAR DGN2200 is a DSL modem/wireless router deployed in home and small business networks. CVE-2017-6334 is a companion vulnerability to CVE-2017-6077 (unauthenticated command injection via ping) — while CVE-2017-6077 exploits the ping diagnostic endpoint without authentication, CVE-2017-6334 exploits the DNS lookup diagnostic endpoint (dnslookup.cgi) and requires low-level authentication (any valid router account). Both vulnerabilities affect the DGN2200 diagnostic tools and both achieve root command execution.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-6334 is an authenticated OS command injection vulnerability in NETGEAR DGN2200 routers (firmware through 10.0.0.50). The dnslookup.cgi diagnostic page passes user-supplied input directly to an OS command without sanitization, allowing any authenticated user to execute arbitrary commands with root privileges on the router. The product is end-of-life; CISA requires disconnecting it. Related companion: CVE-2017-6077 (unauthenticated ping-based command injection on the same device family).

Affected Versions

NETGEAR DGN2200 with firmware through 10.0.0.50. This product has reached end-of-life; no further firmware updates are available.

Technical Details

Root Cause: Unsanitized Input in DNS Lookup Diagnostic

CVE-2017-6334 is an OS command injection vulnerability (CWE-78) in the dnslookup.cgi page of the NETGEAR DGN2200 web management interface. The DNS lookup diagnostic feature accepts a hostname/IP address to look up and passes the user-supplied value directly to a system-level nslookup or host command without sanitization. Any user authenticated to the router management interface can inject shell commands:

POST /dnslookup.cgi
target=127.0.0.1;id;uname+-a

Code executes as root since the router web server process runs with root privileges, giving the attacker full device control.

Attribute Detail
Attack Vector Network — authenticated HTTP to management interface
Authentication Required — any valid router login (PR:L)
Impact Root command execution on router
Related CVE CVE-2017-6077 (same device, unauthenticated ping injection)

Exploitation Context

  • Chained with credential attacks: CVE-2017-6334 requires authentication, making it second-stage in an attack chain: first obtain router credentials (via default passwords, CVE-2017-5521 credential disclosure, or brute force), then use CVE-2017-6334 for root RCE
  • Botnet and proxy use: Compromised NETGEAR routers are recruited into IoT botnets and used as proxy infrastructure for threat actor operations
  • End-of-life persistence: The DGN2200 is EOL with no available patches; CISA's required action is disconnection; devices still in use represent permanent risk
  • CISA KEV (2022): Added March 25, 2022 alongside CVE-2017-6077 and other NETGEAR device vulnerabilities

Remediation

CISA BOD 22-01 Deadline: April 15, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Disconnect NETGEAR DGN2200 immediately — this product is end-of-life with no available security patches; disconnect it and replace with a currently supported router model.

  2. Replace with supported hardware — select a router model with an active firmware update program and configure automatic firmware updates.

  3. Check network for active DGN2200 instances — audit your network for any remaining DGN2200 devices; use device inventory tools or search for the device management interface on your network segment.

  4. Monitor for IoT botnet indicators — if a DGN2200 must remain in use temporarily, monitor for anomalous outbound traffic patterns characteristic of botnet activity.

Key Details

PropertyValue
CVE ID CVE-2017-6334
Vendor / Product NETGEAR — DGN2200 Devices
NVD Published2017-03-06
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') find similar ↗
CISA KEV Added2022-03-25
CISA KEV Deadline2022-04-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-15. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2017-03-06CVE-2017-6334 published; NETGEAR releases security advisory for DGN2200 command injection
2022-03-25Added to CISA Known Exploited Vulnerabilities catalog
2022-04-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-6334 Vulnerability Database
CISA KEV Catalog Entry US Government
NETGEAR Security Advisory — OS Command Injection in DGN2200 Vendor Advisory

Last updated: 2026-05-25

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML