CVE-2016-10174 : The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cg

The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.

Published 2017-01-30 04:59:00

Updated 2017-09-03 01:29:03

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

CVE-2016-10174 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution.

Added on 2022-03-25 Action due date 2022-04-15

Exploit prediction scoring system (EPSS) score for CVE-2016-10174

Probability of exploitation activity in the next 30 days: 97.17%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2016-10174

NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Buffer Overflow

Disclosure Date: 2016-12-20

First seen: 2020-04-26

exploit/linux/http/netgear_wnr2000_rce

The NETGEAR WNR2000 router has a stack buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply

More information

CVSS scores for CVE-2016-10174

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-10174

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-10174

http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability

Insecure Remote Access and Command Execution Security Vulnerability, PSV-2016-0255 | Answer | NETGEAR Support
Patch;Vendor Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/40949/

NETGEAR WNR2000v5 - Remote Code Execution

CVEs referencing this url
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt

Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/41719/

NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)
http://seclists.org/fulldisclosure/2016/Dec/72

Full Disclosure: [0-day] RCE and admin credential disclosure in NETGEAR WNR2000
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/95867

Netgear WNR2000 Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url

Products affected by CVE-2016-10174

Netgear » Wnr2000v5 Firmware
Versions up to, including, (<=) 1.0.0.34
cpe:2.3:o:netgear:wnr2000v5_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Netgear » Wnr2000v5 » Version: N/A

Vulnerability Details : CVE-2016-10174