CVE-2016-6277
Published: 14 December 2016
Summary
CVE-2016-6277 is a high-severity CSRF (CWE-352) vulnerability in Netgear D6220 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2016-6277 is a command injection vulnerability present in the web interface of multiple NETGEAR router models, including R6250 before version 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly additional devices. The flaw allows remote attackers to execute arbitrary commands by embedding shell metacharacters in the path information supplied to cgi-bin/ endpoints and carries a CVSS 3.1 base score of 8.8 with CWE-352 classification.
An unauthenticated remote attacker can exploit the issue by sending a crafted HTTP request containing malicious metacharacters, resulting in command execution on the affected router. The attack vector is network-accessible with low complexity, requires user interaction, and can fully compromise confidentiality, integrity, and availability of the device.
Public references include NETGEAR knowledge-base article 000036386 describing affected firmware and beta updates, along with third-party reports and exploit code demonstrating the flaw on models such as the R6400 and R7000. Additional sources provide temporary workarounds and expanded analysis of the command-injection vector.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-7207
Vulnerability details
NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands…
more
via shell metacharacters in the path info to cgi-bin/.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to cgi-bin/ endpoints so that shell metacharacters cannot be interpreted as commands.
Boundary-protection rules can block unauthenticated network access to the router's web-management interface, eliminating the attack vector described in the CVE.
Mandates timely application of vendor firmware updates (e.g., the listed Beta releases) that remove the command-injection flaw from affected NETGEAR models.