CVE-2017-6862

What Are NETGEAR Multiple Devices?

CVE-2017-6862 affects a range of NETGEAR residential and small business routers sharing the same web management server firmware component. The vulnerability is a classic buffer overflow (CWE-120) in the HTTP management server that allows an attacker to bypass authentication and execute arbitrary code — achieving full router compromise with no credentials required.

Overview

CVE-2017-6862 is a critical buffer overflow vulnerability in multiple NETGEAR router models. The vulnerability in the web management server allows a remote, unauthenticated attacker to both bypass authentication checks and execute arbitrary code by sending an oversized or malformed HTTP request. This dual impact — authentication bypass and RCE — with no authentication required makes it one of the more severe NETGEAR router vulnerabilities. NETGEAR released firmware updates; CISA added CVE-2017-6862 to the KEV catalog in June 2022.

Affected Versions

Multiple NETGEAR router models — check NETGEAR security advisories and the NVD entry for the specific model list. Includes but may not be limited to: NETGEAR R6200, R6300, R6400, R7000, R7100LG, R7300, R7900, R8000, and related models.

Technical Details

Root Cause: Buffer Overflow in Web Management Server

CVE-2017-6862 is a classic buffer overflow (CWE-120) in the NETGEAR router web management server binary. The web server processes incoming HTTP requests and fails to adequately validate input length before copying it into a fixed-size buffer on the stack or heap. Sending an oversized request to the management interface:

1. Overflows the buffer and corrupts adjacent memory, including return addresses or function pointers
2. Bypasses authentication checks through the memory corruption
3. Redirects execution to attacker-controlled shellcode or return-oriented programming (ROP) chains

The end result is root code execution on the router with no authentication, enabling complete device compromise.

Exploitation Context

• IoT botnet target: NETGEAR routers with unauthenticated RCE vulnerabilities are primary targets for IoT botnets (Mirai and successors); a buffer overflow that bypasses authentication is trivially exploitable by automated scanning tools
• Consumer router exposure: Many NETGEAR models expose management interfaces to the internet by default or are configured with remote management enabled; internet-facing management interfaces are systematically scanned
• Credential-independent attack: Unlike CVE-2017-5521 (credential disclosure) or CVE-2017-6334 (authenticated injection), CVE-2017-6862 requires no credentials at all — making it the highest-leverage attack vector against this router family
• CISA KEV (2022): Added June 8, 2022 alongside multiple other NETGEAR device vulnerabilities reflecting sustained IoT device targeting

Remediation

1. Apply NETGEAR firmware updates — check NETGEAR's support site for your specific router model and apply the latest firmware update addressing CVE-2017-6862.

2. Disable remote management (WAN access) — immediately disable internet-facing management access; go to Advanced → Remote Management and ensure it is disabled. Management should only be accessible from the local LAN.

3. Replace end-of-life NETGEAR devices — if your model has reached end-of-life and no firmware update is available, replace it with a currently supported router.

4. Change default admin credentials — change the router admin password from factory defaults regardless of other mitigations.

5. Enable automatic firmware updates — if your NETGEAR model supports automatic firmware updates, enable this feature to ensure future security patches are applied promptly.