Netgear R7000, firmware version 18.104.22.168_1.1.93 and possibly earlier, and R6400, firmware version 22.214.171.124_1.0.11 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:
An exploit leveraging this vulnerability has been publicly disclosed.
This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 126.96.36.199_1.1.2, is vulnerable. Other models may also be affected.