Netgear R7000, firmware version and possibly earlier, and R6400, firmware version and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:


An exploit leveraging this vulnerability has been publicly disclosed.

This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version, is vulnerable. Other models may also be affected.

Source: Vulnerability Note VU#582384 – Multiple Netgear routers are vulnerable to arbitrary command injection