Vulnerability Note VU#778696
Netgear D6000 and D3600 contain hard-coded cryptographic keys and are vulnerable to authentication bypass
The Netgear D6000 and D3600 routers are vulnerable to authentication bypass and contain hard-coded cryptographic keys embedded in their firmware.
CWE-321: Use of Hard-coded Cryptographic Key -- CVE-2015-8288
The firmware for these devices contains a hard-coded RSA private key, as well as a hard-coded X.509 certificate and key. An attacker with knowledge of these keys could gain administrator access to the device, implement man-in-the-middle attacks, or decrypt passively captured packets.
A remote unauthenticated attacker may be able to gain administrator access to the device, man-in-the-middle a victim on the network, or decrypt passively captured data.
Apply an update
Restrict network access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Netgear, Inc.||Affected||15 Jan 2015||01 Jul 2016|
CVSS Metrics (Learn More)
Thanks to Mandar Jadhav of Qualys for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-8288 CVE-2015-8289
- Date Public: 10 Jun 2016
- Date First Published: 10 Jun 2016
- Date Last Updated: 01 Jul 2016
- Document Revision: 40
If you have feedback, comments, or additional information about this vulnerability, please send us email.