Netgear warns users to patch auth bypass, XSS router flaws

Netgear warned customers to update their devices to the latest available firmware, which patches stored cross-site scripting (XSS) and authentication bypass vulnerabilities in several WiFi 6 router models.

The stored XSS security flaw (fixed in firmware version 1.0.0.72 and tracked as PSV-2023-0122) impacts the XR1000 Nighthawk gaming router.

While the company didn’t disclose any details regarding this bug, successful attacks exploiting such weaknesses can let threat actors hijack user sessions, redirect users to malicious sites or display fake login forms, and steal restricted information.

They can also perform actions with the compromised user’s permissions, an especially dangerous scenario if the user has administrative privileges on the targeted device.

The authentication bypass security bug (fixed in firmware version 2.2.2.2 and tracked as PSV-2023-0138) impacts CAX30 Nighthawk AX6 6-Stream cable modem routers.

Even though Netgear hasn’t shared any information regarding this vulnerability either, such flaws are usually tagged as maximum severity since they can provide attackers with unauthorized access to the administrative interface and can result in a complete takeover of the targeted devices.

A Netgear spokesperson was not immediately available to share more details regarding the two security flaws when contacted earlier today.