CVE-2016-10174 : The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang

The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.

Published 2017-01-30 04:59:00

Updated 2025-03-14 15:33:33

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Products affected by CVE-2016-10174

Netgear » Wndr4700 Firmware » Version: N/A
cpe:2.3:o:netgear:wndr4700_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndr4700 » Version: N/A
Netgear » Wnr2000v5 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr2000v5_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2000v5 » Version: N/A
Netgear » Wnr2000v4 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr2000v4_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2000v4 » Version: N/A
Netgear » Wnr2000v3 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr2000v3_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2000v3 » Version: N/A
Netgear » D6100 Firmware » Version: N/A
cpe:2.3:o:netgear:d6100_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » D6100 » Version: N/A
Netgear » Jnr3300 Firmware » Version: N/A
cpe:2.3:o:netgear:jnr3300_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Jnr3300 » Version: N/A
Netgear » R2000 Firmware » Version: N/A
cpe:2.3:o:netgear:r2000_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » R2000 » Version: N/A
Netgear » R6100 Firmware » Version: N/A
cpe:2.3:o:netgear:r6100_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » R6100 » Version: N/A
Netgear » R6220 Firmware » Version: N/A
cpe:2.3:o:netgear:r6220_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » R6220 » Version: N/A
Netgear » R7500 Firmware » Version: N/A
cpe:2.3:o:netgear:r7500_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » R7500 » Version: N/A
Netgear » Wndr4300 Firmware » Version: N/A
cpe:2.3:o:netgear:wndr4300_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndr4300 » Version: N/A
Netgear » Wnr2200 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr2200_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2200 » Version: N/A
Netgear » Wnr2500 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr2500_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2500 » Version: N/A
Netgear » Wnr2020 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr2020_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2020 » Version: N/A
Netgear » Wnr614 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr614_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr614 » Version: N/A
Netgear » Wnr618 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr618_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr618 » Version: N/A
Netgear » D7000 Firmware » Version: N/A
cpe:2.3:o:netgear:d7000_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » D7000 » Version: N/A
Netgear » Wnr2050 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr2050_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2050 » Version: N/A
Netgear » D7800 Firmware » Version: N/A
cpe:2.3:o:netgear:d7800_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » D7800 » Version: N/A
Netgear » Wndr4300v2 Firmware » Version: N/A
cpe:2.3:o:netgear:wndr4300v2_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndr4300v2 » Version: N/A
Netgear » Wndr4500v3 Firmware » Version: N/A
cpe:2.3:o:netgear:wndr4500v3_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndr4500v3 » Version: N/A
Netgear » R7500v2 Firmware » Version: N/A
cpe:2.3:o:netgear:r7500v2_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » R7500v2 » Version: N/A
Netgear » Jnr1010v2 Firmware » Version: N/A
cpe:2.3:o:netgear:jnr1010v2_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Jnr1010v2 » Version: N/A
Netgear » Jwnr2010v5 Firmware » Version: N/A
cpe:2.3:o:netgear:jwnr2010v5_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Jwnr2010v5 » Version: N/A
Netgear » Wnr1000v4 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr1000v4_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr1000v4 » Version: N/A
Netgear » Wnr1000v2 Firmware » Version: N/A
cpe:2.3:o:netgear:wnr1000v2_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr1000v2 » Version: N/A
Netgear » Wndr3700v4 Firmware » Version: N/A
cpe:2.3:o:netgear:wndr3700v4_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndr3700v4 » Version: N/A
Netgear » Wndr3800 Firmware » Version: N/A
cpe:2.3:o:netgear:wndr3800_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wndr3800 » Version: N/A

CVE-2016-10174 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2016-10174

Added on 2022-03-25 Action due date 2022-04-15

Exploit prediction scoring system (EPSS) score for CVE-2016-10174

EPSS FAQ

91.84%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2016-10174

NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Buffer Overflow

Disclosure Date: 2016-12-20

First seen: 2020-04-26

exploit/linux/http/netgear_wnr2000_rce

The NETGEAR WNR2000 router has a stack buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply

More information

CVSS scores for CVE-2016-10174

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-04
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST	2024-07-16
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-10174

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Assigned by: nvd@nist.gov (Primary)
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2016-10174

http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability

Insecure Remote Access and Command Execution Security Vulnerability, PSV-2016-0255 | Answer | NETGEAR Support
Vendor Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/40949/

NETGEAR WNR2000v5 - Remote Code Execution
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt

Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/41719/

NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)
Exploit;Third Party Advisory;VDB Entry
http://seclists.org/fulldisclosure/2016/Dec/72

Full Disclosure: [0-day] RCE and admin credential disclosure in NETGEAR WNR2000
Exploit;Mailing List;Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/95867

Netgear WNR2000 Multiple Security Vulnerabilities
Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-10174