NETGEAR is aware of the security issue that can expose web GUI login passwords while the password recovery feature is disabled. This vulnerability occurs when an attacker can access the internal network or when remote management is enabled on the router. Remote management is turned off by default; users can turn on remote management through advanced settings.
Firmware fixes are currently available for the following affected devices. To download the firmware release that fixes the password recovery vulnerability, click the link for your model and visit the firmware release page for instructions:
NETGEAR has also released firmware that fixes the web password recovery vulnerability for the following cable modem router:
For cable products, firmware is managed and released by your Internet service provider. The firmware fix for the C6300, firmware version 2.01.18, has been released to all service providers. Until your service provider releases the firmware fix to you, NETGEAR strongly recommends that you use the workaround procedure explained in this article. To see your C6300’s current firmware version, visit the following knowledge base article and follow the instructions: How do I view the firmware version of my cable modem or modem router?.
NETGEAR has tested the following devices and confirmed that they are not affected by the web password recovery vulnerability:
For the following affected products, NETGEAR recommends using the workaround procedure explained in this article.
Router Model and Firmware Version:
DSL Gateway Model and Firmware Version:
If your affected product does not have a firmware fix available, NETGEAR strongly recommends that you follow this workaround procedure to remediate the vulnerability:
The potential for password exposure remains if you do not complete both steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR’s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit https://bugcrowd.com/netgear.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at email@example.com.
For all other issues, visit http://www.netgear.com/about/security/.
The firstname.lastname@example.org email address is no longer accepting messages and is no longer actively monitored.