Netgear warns users to patch critical WiFi router vulnerabilities

Netgear has fixed two critical vulnerabilities affecting multiple WiFi router models and urged customers to update their devices to the latest firmware as soon as possible.

The security flaws impact multiple WiFi 6 access points (WAX206, WAX214v2, and WAX220) and Nighthawk Pro Gaming router models (XR1000, XR1000v2, XR500).

Although the American computer networking company did not disclose more details about the two bugs, it did reveal that unauthenticated threat actors can exploit them for remote code execution (tracked internally as PSV-2023-0039) and authentication bypass (PSV-2021-0117) in low-complexity attacks that don't require user interaction.

"NETGEAR strongly recommends that you download the latest firmware as soon as possible," the company said in security advisories published over the weekend.

The table below lists all vulnerable router models and the firmware versions with security patches.

Vulnerable Netgear router	Patched firmware version
XR1000	Firmware version 1.0.0.74
XR1000v2	Firmware version 1.1.0.22
XR500	Firmware version 2.3.2.134
WAX206	Firmware version 1.0.5.3
WAX220	Firmware version 1.0.5.3
WAX214v2	Firmware version 1.0.2.5

To download and install the latest firmware for your Netgear router, you have to go through the following steps:

Visit NETGEAR Support. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears. If you do not see a drop-down menu, ensure you entered your model number correctly or select a product category to browse for your product model. Click Downloads. Under Current Versions, select the first download whose title begins with Firmware Version. Click Release Notes. Follow the instructions in the release notes to download and install the new firmware.

"The unauthenticated RCE vulnerability remains if you do not complete all recommended steps," the company warned on Saturday.

"NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification."

A Netgear spokesperson was not available for comment when contacted by BleepingComputer for more information on the two security flaws.

In July, Netgear also urged customers to update to the latest firmware immediately to patch stored cross-site scripting (XSS) and authentication bypass vulnerabilities impacting several WiFi 6 router models.

One month earlier, security researchers disclosed six flaws of varying severity levels in Netgear WNR614 N300, an end-of-life router popular among home users and small businesses.