Critical NETGEAR Router Vulnerability Let Attackers Gain Full Admin Access
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A newly disclosed authentication bypass vulnerability has exposed thousands of NETGEAR DGND3700v2 routers to remote attacks, allowing cybercriminals to gain complete administrative control without requiring valid credentials.
The flaw, tracked as CVE-2025-4978 and assigned a critical CVSS score of 9.3, represents one of the most severe router security issues discovered in recent years.
NETGEAR Router Vulnerability
The vulnerability exists within the router’s embedded mini_http server, a lightweight HTTP daemon responsible for serving the device’s administrative web interface.
Security researcher at0de discovered that accessing a specific unauthenticated endpoint /BRS_top.html triggers a critical security bypass mechanism.
When this endpoint is accessed, the system sets an internal variable called start_in_blankstate to 1, which fundamentally alters the device’s authentication behavior.
This flag is subsequently referenced in the sub_404930 function, which handles HTTP Basic Authentication verification processes.
According to the technical analysis, “if start_in_blankstate=1, the verification is skipped, allowing users to access all features without permissions, which appears to be a backdoor”.
The vulnerability affects NETGEAR DGND3700v2 routers running firmware version V1.1.00.15_1.00.15NA, though the flaw appears to be an embedded backdoor mechanism rather than an accidental coding error.
The mini_http server’s authentication logic in function sub_406058 processes all incoming HTTP requests, making this bypass particularly dangerous as it affects the core security mechanism.
Risk Factors Details Affected ProductsNETGEAR DGND3700v2 router running firmware version V1.1.00.15_1.00.15NA.ImpactFull administrative access to the router’s configuration interfaceExploit Prerequisites– Access to the router’s web interface (local network or exposed remote management)- No authentication required- Ability to send HTTP GET request to /BRS_top.html endpointCVSS Score9.3 (Critical)
Security Implications
The exploit’s simplicity makes it particularly concerning for cybersecurity professionals. Attackers need only send a GET request to the vulnerable endpoint to disable authentication checks entirely.
Once triggered, the bypass remains active until the device is rebooted or manually reset, providing persistent unauthorized access.
“By accessing the unauthenticated endpoint /BRS_top.html, the internal flag start_in_blankstate is set to 1, which disables HTTP Basic Authentication checks,” explains the vulnerability disclosure.
This mechanism allows attackers to modify DNS settings for traffic redirection, install persistent malware, harvest credentials from connected devices, and disable critical security features including firewalls and parental controls.
The vulnerability can be exploited both from local networks and remotely when the router’s management interface is exposed to the internet.
A proof-of-concept exploit called “Longue vue” demonstrates the attack’s effectiveness, capable of compromising devices directly through web browsers.
Recommendations
The company stated: “NETGEAR will not release a fix for this vulnerability on the affected product as the product is outside of the security support period. Current in-support models are not affected by this vulnerability”.
Despite NETGEAR’s refusal to patch the flaw, the company has released firmware version 1.1.00.26 that addresses the vulnerability.
However, this contradicts their earlier statement about not providing fixes for end-of-life products.
Security experts strongly recommend that users immediately replace affected DGND3700v2 devices with newer, supported models.
For organizations unable to immediately replace the hardware, implementing network segmentation and disabling remote management features can provide temporary risk mitigation until replacement devices are deployed.
The disclosure highlights broader concerns about vendor support lifecycles and the security risks posed by abandoned network infrastructure devices in homes and small businesses.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
Critical NETGEAR Router Vulnerability Let Attackers Gain Full Admin Access
Author: KaaviyaA newly disclosed authentication bypass vulnerability has exposed thousands of NETGEAR DGND3700v2 routers to remote attacks, allowing cybercriminals to gain complete administrative control without requiring valid credentials.
The flaw, tracked as CVE-2025-4978 and assigned a critical CVSS score of 9.3, represents one of the most severe router security issues discovered in recent years.
NETGEAR Router Vulnerability
The vulnerability exists within the router’s embedded mini_http server, a lightweight HTTP daemon responsible for serving the device’s administrative web interface.
Security researcher at0de discovered that accessing a specific unauthenticated endpoint /BRS_top.html triggers a critical security bypass mechanism.
When this endpoint is accessed, the system sets an internal variable called start_in_blankstate to 1, which fundamentally alters the device’s authentication behavior.
This flag is subsequently referenced in the sub_404930 function, which handles HTTP Basic Authentication verification processes.
According to the technical analysis, “if start_in_blankstate=1, the verification is skipped, allowing users to access all features without permissions, which appears to be a backdoor”.
The vulnerability affects NETGEAR DGND3700v2 routers running firmware version V1.1.00.15_1.00.15NA, though the flaw appears to be an embedded backdoor mechanism rather than an accidental coding error.
The mini_http server’s authentication logic in function sub_406058 processes all incoming HTTP requests, making this bypass particularly dangerous as it affects the core security mechanism.
Risk Factors Details Affected ProductsNETGEAR DGND3700v2 router running firmware version V1.1.00.15_1.00.15NA.ImpactFull administrative access to the router’s configuration interfaceExploit Prerequisites– Access to the router’s web interface (local network or exposed remote management)- No authentication required- Ability to send HTTP GET request to /BRS_top.html endpointCVSS Score9.3 (Critical)
Security Implications
The exploit’s simplicity makes it particularly concerning for cybersecurity professionals. Attackers need only send a GET request to the vulnerable endpoint to disable authentication checks entirely.
Once triggered, the bypass remains active until the device is rebooted or manually reset, providing persistent unauthorized access.
“By accessing the unauthenticated endpoint /BRS_top.html, the internal flag start_in_blankstate is set to 1, which disables HTTP Basic Authentication checks,” explains the vulnerability disclosure.
This mechanism allows attackers to modify DNS settings for traffic redirection, install persistent malware, harvest credentials from connected devices, and disable critical security features including firewalls and parental controls.
The vulnerability can be exploited both from local networks and remotely when the router’s management interface is exposed to the internet.
A proof-of-concept exploit called “Longue vue” demonstrates the attack’s effectiveness, capable of compromising devices directly through web browsers.
Recommendations
The company stated: “NETGEAR will not release a fix for this vulnerability on the affected product as the product is outside of the security support period. Current in-support models are not affected by this vulnerability”.
Despite NETGEAR’s refusal to patch the flaw, the company has released firmware version 1.1.00.26 that addresses the vulnerability.
However, this contradicts their earlier statement about not providing fixes for end-of-life products.
Security experts strongly recommend that users immediately replace affected DGND3700v2 devices with newer, supported models.
For organizations unable to immediately replace the hardware, implementing network segmentation and disabling remote management features can provide temporary risk mitigation until replacement devices are deployed.
The disclosure highlights broader concerns about vendor support lifecycles and the security risks posed by abandoned network infrastructure devices in homes and small businesses.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
