CVE-2016-10174

CRITICAL KEV

NETGEAR Multiple Routers - Unauthenticated Remote Code Execution via Hidden Lang AVI Parameter Buffer Overflow

Title source: llm

Exploitation Summary

CVE-2016-10174 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 3 public exploits from researchers including Pedro Ribeiro, Pedro Ribeiro <[email protected]>, including a Metasploit module exploits/linux/http/netgear_wnr2000_rce.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in NETGEAR WNR2000v5 routers via the `hidden_lang_avi` parameter, allowing unauthenticated or authenticated RCE. It brute-forces a timestamp token if unauthenticated, then triggers a stack overflow to execute a payload enabling a telnet shell.

Description

The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Pedro Ribeiro · rubyremotehardware

https://www.exploit-db.com/exploits/41719

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow in NETGEAR WNR2000v5 routers via the `hidden_lang_avi` parameter, allowing unauthenticated or authenticated RCE. It brute-forces a timestamp token if unauthenticated, then triggers a stack overflow to execute a payload enabling a telnet shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: NETGEAR WNR2000v5 (firmware versions 1.0.0.34, 1.0.0.18, and likely others)

No auth needed

Prerequisites: Network access to the router's web interface (port 80) · Brute-forcing the timestamp token if unauthenticated

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Pedro Ribeiro · rubyremotecgi

https://www.exploit-db.com/exploits/40949

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in NETGEAR WNR2000v5 routers, allowing remote code execution. It includes methods to bypass authentication, retrieve credentials, and execute arbitrary commands via a crafted payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: NETGEAR WNR2000v5

No auth needed

Prerequisites: Network access to the target router · Knowledge of the router's MAC address for telnet mode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Pedro Ribeiro <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_wnr2000_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in NETGEAR WNR2000 routers via the 'hidden_lang_avi' parameter, allowing remote command execution. It supports both authenticated and unauthenticated exploitation by brute-forcing a timestamp token.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: NETGEAR WNR2000v5 (firmware versions 1.0.0.34 and 1.0.0.18)

No auth needed

Prerequisites: Network access to the target router · Optional: Valid credentials for faster exploitation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Exploit, Mailing List, Third Party Advisory, VDB Entry x_refsource_misc

http://seclists.org/fulldisclosure/2016/Dec/72

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/95867

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41719/

Vendor Advisory x_refsource_misc

http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40949/

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10174

Scores

CVSS v3 9.8

EPSS 0.9107

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2022-03-25

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2016-1361

CWE

CWE-120

Status published

Products (28)

netgear/d6100_firmware

netgear/d7000_firmware

netgear/d7800_firmware

netgear/jnr1010v2_firmware

netgear/jnr3300_firmware

netgear/jwnr2010v5_firmware

netgear/r2000_firmware

netgear/r6100_firmware

netgear/r6220_firmware

netgear/r7500_firmware

... and 18 more

Published Jan 30, 2017

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026