This may be a full RCE vulnerability but from what I can tell the exploit requires intercepting or redirecting HTTP traffic from the router to the update server.
Thats definitely a massive problem because anyone with access to DNS records (ISPs, governments, educational facilities, and so on) can remotely hack all of these devices, but on the other hand this poses no direct threat. The "immediately" part of the title seems overstated.
This just seems like a random, run-of-the-mill crappy router vulnerability to me. I'd be surprised if there was a consumer router that wasn't vulnerable to this somehow. Good thing Netgear provides a patch, though.
Even further its only those routers with the `circled` process running, which apparently is part of the parental controls functionality provided by Circle with their NetGear partnership. The silly part too is that the attack surface is available even if you don't have parental controls enabled.
I'm so glad I've been playing around with OpenWRT lately. I bought a second router a while back just to experiment with it and now I have automatic fail-over between two ISPs (with mwan3) and WPA2 Enterprise (with FreeRadius).
Needless to say, my Netgear R7000P will soon be decommissioned. I wish it were officially supported on OpenWRT because it's got a good amount of RAM and flash that could have been put to better use.
Why the hell do I have to manually download the new firmware and deploy it to fix this? My Netgear router has usually been able to update itself in the past just by logging into the admin console and checking for new firmware updates.
Thats definitely a massive problem because anyone with access to DNS records (ISPs, governments, educational facilities, and so on) can remotely hack all of these devices, but on the other hand this poses no direct threat. The "immediately" part of the title seems overstated.
This just seems like a random, run-of-the-mill crappy router vulnerability to me. I'd be surprised if there was a consumer router that wasn't vulnerable to this somehow. Good thing Netgear provides a patch, though.