Netgear R7000 and R6400 and possibly other models may be vulnerable to Injection attacks, which can be exploited by remote attackers to run malicious scripts with Root privileges.
The Carnegie Mellon University CER disclosed this critical bug (Vulnerability Note VU#582384) with the two popular Netgear Models.
Netgear R7000, firmware version 220.127.116.11_1.1.93 and possibly earlier, and R6400, firmware version 18.104.22.168_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability.
This can be done simply by convincing the user to visit the crafted website and from that point remote attacker can able to trigger the attack by executing arbitrary commands with root privileges on affected routers.
An attacker connected through LAN may do the same by issuing a direct request, e.g. by visiting:
http:///cgi-bin/;COMMAND More than that this exploit code has been disclosed publically.
This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 22.214.171.124_1.1.2, is vulnerable. Other models may also be affected.
At this time there is no available fix to this problem and CERT/CC recommends “consider stop using until a fix released”.