A new vulnerability has been found in some popular Netgear routers. If left unpatched and unchecked, "thousands of home networking devices [could be] exposed to full control by hackers" and botnets. Unfortunately, with so many models affected, it's hard for Netgear to supply fixes for all of them -- the ones they've handed out so far are tentative at best.
Security Researcher Andrew Rollins (aka Acew0rm) discovered the flaw in August 2016. Unfortunately, Netgear did not respond to his notification, and Rollins later decided to go public with his knowledge. The Department of Homeland Security's (DHS) CERT group picked up on Rollins's message and has advised other users to "pull the plug."
“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available,” the CERT notice said.
Netgear initially said only three of its products had the vulnerability but later confirmed that eight of its routers (R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, R8000) have been affected by the vulnerability; they "declined to comment on why it's taking so long to release a production-grade firmware update."
According to Wired, Netgear released beta patches on Tuesday. Sadly, they may not work for all of the models and have yet to be completely tested.
"Compounding the issue is that Netgear customers have to install the firmware themselves; the company says it has no process in place to push an over-the-air update, and that customers will have to manually install it on their own."
Rollins claims the vulnerability is not that hard to fix and believes Netgear is just dragging their feet on the issue.
“What surprised me most is that Netgear was notified of this vulnerability months ago, but didn’t act,” researcher Bas van Schaik said after he published a temporary fix for the vulnerability on Friday. “Given the significant severity of the vulnerability, I find that as appalling as it is baffling.”
Users who believe their routers have been affected should download a patch immediately. van Schaik's workaround has been recommended by CERT, but disconnecting the router altogether is another viable option.