Login Sign Up

CVE-2017-18842

8.8 HIGH
CSRF

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in certain NETGEAR routers and gateways. Attackers can trick authenticated users into performing unauthorized actions on their devices. Affected users include those with specific NETGEAR models running outdated firmware.

💻 Affected Systems

Products:
  • NETGEAR R7300
  • NETGEAR R8500
  • NETGEAR DGN2200v1
  • NETGEAR D2200D
  • NETGEAR D2200DW-1FRNAS
Versions: R7300 before 1.0.0.54, R8500 before 1.0.2.94, DGN2200v1 before 1.0.0.55, D2200D/D2200DW-1FRNAS before 1.0.0.32
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Devices with default configurations are vulnerable. Authentication to the web interface is required for exploitation.

📦 What is this software?

D2200d Firmware by Netgear

View all CVEs affecting D2200d Firmware →

D2200dw 1frnas Firmware by Netgear

View all CVEs affecting D2200dw 1frnas Firmware →

Dgn2200 Firmware by Netgear

View all CVEs affecting Dgn2200 Firmware →

R7300 Firmware by Netgear

View all CVEs affecting R7300 Firmware →

R8500 Firmware by Netgear

View all CVEs affecting R8500 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover: attacker changes admin credentials, enables remote access, or reconfigures network settings to intercept traffic.

🟠

Likely Case

Unauthorized configuration changes: attacker modifies DNS settings, firewall rules, or network parameters to enable further attacks.

🟢

If Mitigated

No impact if proper CSRF protections are in place or if devices are not internet-facing with default credentials changed.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing, and CSRF attacks can be delivered via malicious websites.
🏢 Internal Only: MEDIUM - Internal users could still be tricked via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF attacks are well-understood and relatively easy to implement. Requires user to be authenticated to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R7300: 1.0.0.54+, R8500: 1.0.2.94+, DGN2200v1: 1.0.0.55+, D2200D/D2200DW-1FRNAS: 1.0.0.32+

Vendor Advisory: https://kb.netgear.com/000049017/Security-Advisory-for-a-Cross-Site-Request-Forgery-on-Some-Routers-DSL-Gateways-and-a-Modem-Router-PSV-2017-0327

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to firmware update section. 3. Download latest firmware from NETGEAR support site. 4. Upload and install firmware. 5. Reboot device.

🔧 Temporary Workarounds

Log out after administration

all

Always log out of router web interface after making changes to prevent CSRF attacks.

Use separate browser for administration

all

Use a dedicated browser or private browsing session only for router administration.

🧯 If You Can't Patch

  • Change default admin credentials to strong, unique passwords
  • Disable remote administration if not needed

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Advanced > Administration > Firmware Update

Check Version:

No CLI command - check via web interface at http://routerlogin.net or router IP

Verify Fix Applied:

Verify firmware version matches or exceeds patched versions listed in advisory

📡 Detection & Monitoring

Log Indicators:

  • Multiple configuration changes from same IP in short time
  • Unauthorized configuration changes in router logs

Network Indicators:

  • Unexpected DNS server changes
  • New port forwarding rules
  • Changed admin credentials

SIEM Query:

Look for router configuration change events followed by web requests to external domains

📊 Metadata

CVE ID: CVE-2017-18842
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: April 20, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-18842, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2018-18934 9.8

This vulnerability in PopojiCMS v2.0.1 allows remote attackers to upload and execute arbitrary PHP c...

Same vulnerability type (CWE-352)
CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)