Tenable has disclosed details of a network misconfiguration, identified by its ZeroDay Research Team, present in NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400) prior to V184.108.40.206. The flaw inadvertently allowed unrestricted communication with any services listening via IPv6 on the WAN (internet facing) port of the device. This misconfiguration allows arbitrary access to any services running on the device and could potentially allow attackers to communicate with these devices from the internet as if they were on the consumer’s local network.
NETGEAR has issued a patch via its auto-update feature. However Tenable’s researcher found — at time of writing — that the device’s auto-update feature does not appear to recognise that updates are available beyond V220.127.116.11. Those consumers relying on the auto-update or “Check for Updates” mechanisms of these devices will remain vulnerable to this issue unless they manually apply the patch.
The risk of exploitation increases each passing day as additional vulnerabilities are confirmed. When chained with other known and unknown flaws, bad actors could obtain full remote control, exposing all other devices on a consumer’s network.