Cyber Resilience

CVE-2016-6277

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 December 2016

Published
14 December 2016
Modified
21 April 2026
KEV Added
07 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9426 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-6277 is a high-severity CSRF (CWE-352) vulnerability in Netgear D6220 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-6277 is a command injection vulnerability present in the web interface of multiple NETGEAR router models, including R6250 before version 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly additional devices. The flaw allows remote attackers to execute arbitrary commands by embedding shell metacharacters in the path information supplied to cgi-bin/ endpoints and carries a CVSS 3.1 base score of 8.8 with CWE-352 classification.

An unauthenticated remote attacker can exploit the issue by sending a crafted HTTP request containing malicious metacharacters, resulting in command execution on the affected router. The attack vector is network-accessible with low complexity, requires user interaction, and can fully compromise confidentiality, integrity, and availability of the device.

Public references include NETGEAR knowledge-base article 000036386 describing affected firmware and beta updates, along with third-party reports and exploit code demonstrating the flaw on models such as the R6400 and R7000. Additional sources provide temporary workarounds and expanded analysis of the command-injection vector.

EU & UK References

Vulnerability details

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands…

more

via shell metacharacters in the path info to cgi-bin/.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netgear
d6220 firmware
≤ 1.0.0.22
netgear
d6400 firmware
≤ 1.0.0.56
netgear
r6250 firmware
≤ 1.0.4.6_10.1.12
netgear
r6400 firmware
≤ 1.0.1.18
netgear
r6700 firmware
≤ 1.0.1.14
netgear
r6900 firmware
≤ 1.0.1.14
netgear
r7000 firmware
≤ 1.0.7.2_1.1.93
netgear
r7100lg firmware
≤ 1.0.0.28
netgear
r7300dst firmware
≤ 1.0.0.46
netgear
r7900 firmware
≤ 1.0.1.8
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to cgi-bin/ endpoints so that shell metacharacters cannot be interpreted as commands.

prevent

Boundary-protection rules can block unauthenticated network access to the router's web-management interface, eliminating the attack vector described in the CVE.

prevent

Mandates timely application of vendor firmware updates (e.g., the listed Beta releases) that remove the command-injection flaw from affected NETGEAR models.

References