The Netgear D6000 and D3600 routers are vulnerable to authentication bypass and contain hard-coded cryptographic keys embedded in their firmware.
CWE-321: Use of Hard-coded Cryptographic Key -- CVE-2015-8288
The firmware for these devices contains a hard-coded RSA private key, as well as a hard-coded X.509 certificate and key. An attacker with knowledge of these keys could gain administrator access to the device, implement man-in-the-middle attacks, or decrypt passively captured packets.
A remote unauthenticated attacker may be able to gain administrator access to the device, man-in-the-middle a victim on the network, or decrypt passively captured data.
Apply an update
Restrict network access
Thanks to Mandar Jadhav of Qualys for reporting this vulnerability.
This document was written by Garret Wassermann.