CVE-2016-1555

CRITICAL KEV NUCLEI

Netgear Devices Unauthenticated Remote Command Execution

Title source: metasploit

Exploitation Summary

CVE-2016-1555 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 3 public exploits from researchers including Metasploit, ide0x90, including a Metasploit module exploits/linux/http/netgear_unauth_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated remote command execution vulnerability in multiple Netgear devices by injecting commands into the 'macAddress' parameter of vulnerable PHP scripts. It includes a check method to verify vulnerability and a cmdstager for payload delivery.

Description

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/45909

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated remote command execution vulnerability in multiple Netgear devices by injecting commands into the 'macAddress' parameter of vulnerable PHP scripts. It includes a check method to verify vulnerability and a cmdstager for payload delivery.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Netgear WN604 (before 3.3.3), WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, WNDAP660 (before 3.5.5.0)

No auth needed

Prerequisites: Network access to the target device · Vulnerable Netgear device with exposed vulnerable PHP script

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by ide0x90 · remote

https://github.com/ide0x90/cve-2016-1555

View Code ZIP pw:eip

This repository contains a functional Metasploit module that exploits an unauthenticated remote command execution vulnerability in multiple Netgear router models. The exploit leverages command injection via the 'macAddress' parameter in POST requests to specific PHP endpoints.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Netgear WN604 (before 3.3.3), WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, WNDAP660 (before 3.5.5.0)

No auth needed

Prerequisites: Network access to the vulnerable router · Metasploit Framework

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_unauth_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated remote command execution vulnerability in multiple Netgear devices by injecting commands into the 'macAddress' parameter of vulnerable PHP scripts. It uses a command stager to deliver a reverse shell payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Netgear WN604 (before 3.3.3), WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, WNDAP660 (before 3.5.5.0)

No auth needed

Prerequisites: Network access to the vulnerable device · Vulnerable Netgear device with exposed vulnerable PHP script

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

NETGEAR WNAP320 Access Point Firmware - Remote Command Injection

CRITICALby gy741

References (5)

Core 5

Core References

Patch, Vendor Advisory x_refsource_confirm

https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45909/

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Feb/112

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-1555

Scores

CVSS v3 9.8

EPSS 0.9433

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2020-01-08

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2016-2650

CWE

CWE-77

Status published

Products (7)

netgear/wn604_firmware < 3.3.2

netgear/wn802tv2_firmware < 3.0.5.0

netgear/wnap320_firmware < 3.0.5.0

netgear/wndap210v2_firmware < 3.0.5.0

netgear/wndap350_firmware < 3.0.5.0

netgear/wndap360_firmware < 3.0.5.0

netgear/wndap660_firmware < 3.0.5.0

Published Apr 21, 2017

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026