CVE-2016-10176

CRITICAL EXPLOITED

NETGEAR WNR2000v5 Firmware < 1.0.0.34 - Unauthenticated Remote Code Execution via apply_noauth.cgi

Title source: llm

Exploitation Summary

CVE-2016-10176 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Pedro Ribeiro, including a Metasploit module auxiliary/admin/http/netgear_wnr2000_pass_recovery.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in NETGEAR WNR2000v5 routers, allowing remote code execution. It includes methods to bypass authentication, retrieve credentials, and execute arbitrary commands via a crafted payload.

Description

The NETGEAR WNR2000v5 router allows an administrator to perform sensitive actions by invoking the apply.cgi URL on the web server of the device. This special URL is handled by the embedded web server (uhttpd) and processed accordingly. The web server also contains another URL, apply_noauth.cgi, that allows an unauthenticated user to perform sensitive actions on the device. This functionality can be exploited to change the router settings (such as the answers to the password-recovery questions) and achieve remote code execution.

Exploits (2)

exploitdb WORKING POC

by Pedro Ribeiro · rubyremotecgi

https://www.exploit-db.com/exploits/40949

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in NETGEAR WNR2000v5 routers, allowing remote code execution. It includes methods to bypass authentication, retrieve credentials, and execute arbitrary commands via a crafted payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: NETGEAR WNR2000v5

No auth needed

Prerequisites: Network access to the target router · Knowledge of the router's MAC address for telnet mode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb

View Code ZIP pw:eip

This Metasploit module exploits a password recovery vulnerability in NETGEAR WNR2000 routers by brute-forcing a timestamp token to bypass authentication and retrieve admin credentials. It leverages a predictable timestamp generation algorithm and requires no prior authentication.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: NETGEAR WNR2000v5 (firmware versions 1.0.0.34, 1.0.0.18, and potentially others)

No auth needed

Prerequisites: Network access to the router's web interface · Router must have password recovery enabled

MITRE ATT&CK

T1110 - Brute Force T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://seclists.org/fulldisclosure/2016/Dec/72

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/95867

Patch, Vendor Advisory x_refsource_misc

http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40949/

Scores

CVSS v3 9.8

EPSS 0.8662

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2017-09-13

CWE

CWE-20

Status published

Products (1)

netgear/wnr2000v5_firmware < 1.0.0.34

Published Jan 30, 2017

Tracked Since Feb 18, 2026