CVE-2020-28373
📋 TL;DR
This vulnerability allows remote attackers on the local network to execute arbitrary code on affected NETGEAR routers via a stack-based buffer overflow in the UPnP daemon. It affects multiple NETGEAR router models with specific firmware versions. Attackers can gain full control of the device without authentication.
💻 Affected Systems
- NETGEAR R6400v2
- NETGEAR R6400
- NETGEAR R7000P
- NETGEAR XR300
- NETGEAR R8000
- NETGEAR R8300
- NETGEAR R8500
- NETGEAR R7300DST
- NETGEAR R7850
- NETGEAR R7900
- NETGEAR RAX20
- NETGEAR RAX80
- NETGEAR R6250
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of router with persistent backdoor installation, credential theft, network traffic interception, and lateral movement to other devices.
Likely Case
Router takeover leading to DNS hijacking, credential harvesting, and network reconnaissance.
If Mitigated
Limited impact if UPnP is disabled and network segmentation isolates routers from untrusted devices.
🎯 Exploit Status
Public proof-of-concept code exists on GitHub. Exploitation is straightforward for attackers with LAN access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check NETGEAR support for each model - newer firmware versions than those listed
Vendor Advisory: https://kb.netgear.com/
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates. 4. If update available, download and install. 5. Router will reboot automatically.
🔧 Temporary Workarounds
Disable UPnP
allDisable Universal Plug and Play service to prevent exploitation
Log into router web interface > Advanced > Advanced Setup > UPnP > Disable
Network Segmentation
allIsolate router management interface from general LAN
Create separate VLAN for router management
Restrict access to router IP to trusted devices only
🧯 If You Can't Patch
- Disable UPnP immediately via router web interface
- Implement strict network segmentation to limit LAN access to router
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface and compare with affected versions in CVE descriptionCheck Version:
Log into router web interface > Advanced > Administration > Router StatusVerify Fix Applied:
Verify firmware version is newer than affected versions listed, then confirm UPnP is disabled📡 Detection & Monitoring
Log Indicators:
- Unusual UPnP requests
- Buffer overflow patterns in router logs
- Unexpected process crashes
Network Indicators:
- Suspicious UPnP traffic to router on port 1900/udp
- Unusual outbound connections from router
SIEM Query:
source="router_logs" AND ("upnpd" OR "buffer overflow" OR "segmentation fault")