CVE-2020-35787
📋 TL;DR
This vulnerability allows an authenticated attacker to trigger a buffer overflow on affected NETGEAR routers and range extenders. Successful exploitation could lead to remote code execution or device compromise. Only users with administrative credentials can exploit this vulnerability.
💻 Affected Systems
- NETGEAR D3600
- D6000
- D6200
- D7000
- EX6200v2
- EX7000
- EX8000
- JR6150
- PR2000
- R6020
- R6050
- R6080
- R6120
- R6220
- R6260
- R6300v2
- R6700
- R6700v2
- R6800
- R6900
- R6900P
- R6900v2
- R7000
- R7000P
- R7800
- R8900
- R9000
- XR500
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with administrative privileges leading to complete device takeover, network compromise, and potential lateral movement to connected devices.
Likely Case
Device crash/reboot causing denial of service, or limited code execution within router context.
If Mitigated
No impact if proper authentication controls prevent unauthorized access to administrative interfaces.
🎯 Exploit Status
Requires authenticated access and buffer overflow exploitation knowledge. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Minimum versions specified in CVE description (e.g., D3600 1.0.0.76 or later)
Vendor Advisory: https://kb.netgear.com/000062710/Security-Advisory-for-Post-Authentication-Buffer-Overflow-on-Some-Routers-and-Range-Extenders-PSV-2018-0379
Restart Required: Yes
Instructions:
1. Log into router web interface. 2. Navigate to Advanced > Administration > Firmware Update. 3. Check for updates or manually download from NETGEAR support site. 4. Upload and install latest firmware. 5. Router will reboot automatically.
🔧 Temporary Workarounds
Disable remote administration
allPrevent external access to router administrative interface
Use strong administrative credentials
allImplement complex passwords to reduce risk of credential compromise
🧯 If You Can't Patch
- Segment network to isolate vulnerable devices
- Implement strict access controls to router administrative interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under Advanced > Administration > Firmware UpdateCheck Version:
No CLI command - check via web interface or router labelVerify Fix Applied:
Verify firmware version matches or exceeds minimum patched version from advisory📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by buffer overflow patterns
- Unexpected router reboots or crashes
Network Indicators:
- Unusual traffic patterns from router administrative interface
- Multiple POST requests to router admin pages with large payloads
SIEM Query:
source="router_logs" AND (event="authentication_failure" OR event="buffer_overflow" OR event="system_reboot")