CVE-2016-6277

HIGH KEV NUCLEI

NETGEAR D6220/D6400/R6250/R6400/R6700/R6900/R7000/R7100LG/R7300DST/R7900/R8000 Firmware - Remote Code Execution

Title source: manual

Exploitation Summary

CVE-2016-6277 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 7, 2022. EIP tracks 3 public exploits from researchers including Metasploit, Acew0rm, thecarterb, Acew0rm, including a Metasploit module exploits/linux/http/netgear_r7000_cgibin_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Netgear R7000 and R6400 routers by sending a crafted HTTP request to the cgi-bin endpoint, allowing remote code execution (RCE) via a wget-based command stager.

Description

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotecgi

https://www.exploit-db.com/exploits/41598

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Netgear R7000 and R6400 routers by sending a crafted HTTP request to the cgi-bin endpoint, allowing remote code execution (RCE) via a wget-based command stager.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Netgear R7000 and R6400 firmware version 1.0.7.2_1.1.93 and earlier

No auth needed

Prerequisites: Network access to the target router · Router must be running vulnerable firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Acew0rm · textwebappscgi

https://www.exploit-db.com/exploits/40889

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated command injection vulnerability in Netgear R7000 routers. The PoC shows how arbitrary commands can be executed via a crafted HTTP request to the router's CGI interface.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Netgear R7000 firmware V1.0.7.2_1.1.93

No auth needed

Prerequisites: Network access to the vulnerable router

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by thecarterb, Acew0rm · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Netgear R7000 and R6400 routers by sending a crafted HTTP request to the cgi-bin endpoint, allowing arbitrary command execution. It uses a cmdstager to deliver the payload via wget.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Netgear R7000 and R6400 firmware version 1.0.7.2_1.1.93 and earlier

No auth needed

Prerequisites: Network access to the router's web interface · Router must be running vulnerable firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

NETGEAR Routers - Remote Code Execution

HIGHby pikpikcu

References (9)

Core 9

Core References

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40889/

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41598/

Patch, Vendor Advisory x_refsource_confirm

http://kb.netgear.com/000036386/CVE-2016-582384

Broken Link, Mitigation, Third Party Advisory x_refsource_misc

http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

https://www.kb.cert.org/vuls/id/582384

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/94819

Broken Link, Exploit, Third Party Advisory x_refsource_misc

https://kalypto.org/research/netgear-vulnerability-expanded/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277

Scores

CVSS v3 8.8

EPSS 0.9426

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-07

VulnCheck KEV 2018-03-01

InTheWild.io 2022-03-07

ENISA EUVD EUVD-2016-7207

CWE

CWE-352

Status published

Products (11)

netgear/d6220_firmware < 1.0.0.22

netgear/d6400_firmware < 1.0.0.56

netgear/r6250_firmware < 1.0.4.6_10.1.12

netgear/r6400_firmware < 1.0.1.18

netgear/r6700_firmware < 1.0.1.14

netgear/r6900_firmware < 1.0.1.14

netgear/r7000_firmware < 1.0.7.2_1.1.93

netgear/r7100lg_firmware < 1.0.0.28

netgear/r7300dst_firmware < 1.0.0.46

netgear/r7900_firmware < 1.0.1.8

... and 1 more

Published Dec 14, 2016

KEV Added Mar 07, 2022

Tracked Since Feb 18, 2026